Skip to content
Snippets Groups Projects
Commit a81e6457 authored by Rob Swindell's avatar Rob Swindell :speech_balloon:
Browse files

Rework part of the "good password" checking algorithm

Require that a good password contain a sequence of unique characters
(not repeating, incrementing, or decrementing in ASCII code value) of at least
half the configured minimum password length. By default, the minimum password
length is 4 chars, so this means a sequence of at least 2 unique characters
is required. If the minimum password length is increased by the sysop, so is
the minimum required unique sequence length. The "PasswordInvalid" text.dat
string is printed when passwords are rejected by this criteria.

Previously, the following would be rejected by this portion of the algo,
this logic has been replaced by the above:
- all chars the same (would print the "PasswordInvalid" text.dat string)
- first 4 chars are incrementing ("PasswordObvious" string printed)
- first 4 chars are decrementing ("PasswordObvious" string printed)

but now, a password that starts with "1234" or "abcd" is fine so long as it's
longer than that and contains the minimum unique sequence length. This will
prevent SBBS from rejecting high quality (e.g. randomly generated or
crypto-hashed) passwords that just happen to begin with an incrementing
sequence of 4 digits or alpha-characters.
parent e8aaecc6
Branches
No related tags found
No related merge requests found
......@@ -849,14 +849,14 @@ bool sbbs_t::inputnstime(time_t *dt)
bool sbbs_t::chkpass(char *passwd, user_t* user, bool unique)
{
char first[128], last[128], sysop[41], sysname[41], *p;
int c, d;
char alias[LEN_ALIAS + 1], name[LEN_NAME + 1], handle[LEN_HANDLE + 1];
char pass[LEN_PASS + 1];
SAFECOPY(pass, passwd);
strupr(pass);
if (strlen(pass) < cfg.min_pwlen) {
int len = strlen(pass);
if (len < cfg.min_pwlen || len < MIN_PASS_LEN) {
bputs(text[PasswordTooShort]);
return false;
}
......@@ -864,26 +864,17 @@ bool sbbs_t::chkpass(char *passwd, user_t* user, bool unique)
bputs(text[PasswordNotChanged]);
return false;
}
d = strlen(pass);
for (c = 1; c < d; c++)
if (pass[c] != pass[c - 1])
break;
if (c == d) {
bputs(text[PasswordInvalid]);
return false;
}
for (c = 0; c < 3; c++) /* check for 1234 and ABCD */
if (pass[c] != pass[c + 1] + 1)
break;
if (c == 3) {
bputs(text[PasswordObvious]);
return false;
int i;
int run = 0;
for (i = 0; i < (len - 1); ++i) {
if (abs(toupper(pass[i]) - toupper(pass[i + 1])) > 1) {
if (++run >= cfg.min_pwlen / 2)
break;
} else
run = 0;
}
for (c = 0; c < 3; c++) /* check for 4321 and ZYXW */
if (pass[c] != pass[c + 1] - 1)
break;
if (c == 3) {
bputs(text[PasswordObvious]);
if (i >= (len - 1)) {
bputs(text[PasswordInvalid]);
return false;
}
SAFECOPY(name, user->name);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment