Rework part of the "good password" checking algorithm

Require that a good password contain a sequence of unique characters (not repeating, incrementing, or decrementing in ASCII code value) of at least half the configured minimum password length. By default, the minimum password length is 4 chars, so this means a sequence of at least 2 unique characters is required. If the minimum password length is increased by the sysop, so is the minimum required unique sequence length. The "PasswordInvalid" text.dat string is printed when passwords are rejected by this criteria. Previously, the following would be rejected by this portion of the algo, this logic has been replaced by the above: - all chars the same (would print the "PasswordInvalid" text.dat string) - first 4 chars are incrementing ("PasswordObvious" string printed) - first 4 chars are decrementing ("PasswordObvious" string printed) but now, a password that starts with "1234" or "abcd" is fine so long as it's longer than that and contains the minimum unique sequence length. This will prevent SBBS from rejecting high quality (e.g. randomly generated or crypto-hashed) passwords that just happen to begin with an incrementing sequence of 4 digits or alpha-characters.

Rework part of the "good password" checking algorithm
a81e6457 · Rob Swindell · e8aaecc6 · a81e6457
Commit a81e6457 authored 1 month ago by Rob Swindell
--- a/src/sbbs3/str.cpp
+++ b/src/sbbs3/str.cpp
@@ -849,14 +849,14 @@ bool sbbs_t::inputnstime(time_t *dt)
 bool sbbs_t::chkpass(char *passwd, user_t* user, bool unique)
 {
 	char first[128], last[128], sysop[41], sysname[41], *p;
-	int  c, d;
 	char alias[LEN_ALIAS + 1], name[LEN_NAME + 1], handle[LEN_HANDLE + 1];
 	char pass[LEN_PASS + 1];

 	SAFECOPY(pass, passwd);
 	strupr(pass);

-	if (strlen(pass) < cfg.min_pwlen) {
+	int len = strlen(pass);
+	if (len < cfg.min_pwlen || len < MIN_PASS_LEN) {
 		bputs(text[PasswordTooShort]);
 		return false;
 	}
@@ -864,26 +864,17 @@ bool sbbs_t::chkpass(char *passwd, user_t* user, bool unique)
 		bputs(text[PasswordNotChanged]);
 		return false;
 	}
-	d = strlen(pass);
-	for (c = 1; c < d; c++)
-		if (pass[c] != pass[c - 1])
-			break;
-	if (c == d) {
-		bputs(text[PasswordInvalid]);
-		return false;
-	}
-	for (c = 0; c < 3; c++)    /* check for 1234 and ABCD */
-		if (pass[c] != pass[c + 1] + 1)
-			break;
-	if (c == 3) {
-		bputs(text[PasswordObvious]);
-		return false;
+	int i;
+	int run = 0;
+	for (i = 0; i < (len - 1); ++i) {
+		if (abs(toupper(pass[i]) - toupper(pass[i + 1])) > 1) {
+			if (++run >= cfg.min_pwlen / 2)
+				break;
+		} else
+			run = 0;
 	}
-	for (c = 0; c < 3; c++)    /* check for 4321 and ZYXW */
-		if (pass[c] != pass[c + 1] - 1)
-			break;
-	if (c == 3) {
-		bputs(text[PasswordObvious]);
+	if (i >= (len - 1)) {
+		bputs(text[PasswordInvalid]);
 		return false;
 	}
 	SAFECOPY(name, user->name);