Attached you'll find a patch to user.module's user.js. It enhances the Drupal.evaluatePasswordStrength function by allowing it to check for repeating classes of characters.

http://www-128.ibm.com/developerworks/lotus/library/ls-password_quality/

This link suggests against repeating characters. I can't quite think of an efficient way of doing this in JavaScript, but we can check for classes (e.g. "abc", "123", "asdf") and increment the weaknesses variable accordingly.

The attached patch is for the latest 7.x release of Drupal, but a similar approach could be applied to the 6.x branch.

CommentFileSizeAuthor
#5 user.js_.drupal7.patch446 bytesBrad Beattie
#3 user.js_.patch1.15 KBBrad Beattie
password.patch275 bytesBrad Beattie

Comments

Status: Needs review » Needs work

The last submitted patch failed testing.

Brad Beattie’s picture

Brad Beattie commented
Status: Needs work » Needs review
Brad Beattie’s picture

Brad Beattie commented
StatusFileSize
new user.js.patch1.15 KB

Attached patch as generated by cvs diff, as per http://drupal.org/patch/create

Status: Needs review » Needs work

The last submitted patch failed testing.

Brad Beattie’s picture

Brad Beattie commented
StatusFileSize
new user.js_.drupal7.patch446 bytes

Trying this again, but from the root CVS directory.

Brad Beattie’s picture

Brad Beattie commented
Status: Needs work » Needs review
dries’s picture

dries commented
Status: Needs review » Needs work

Please add code comments explaining how this patch works. Thanks.

Brad Beattie’s picture

Brad Beattie commented
Status: Needs work » Needs review

user.js has a series of tests it performs (via regular expressions) to determine password strength.

  • The first tests for lower case characters (/[a-z]+/)
  • The second tests for upper case characters (/[A-Z]+/)
  • The third tests for numeric digits (/[0-9]+/)
  • The fourth tests for punctuation or symbols (/[^a-zA-Z0-9]+/)

We'd like to ensure strong passwords, part of which suggests testing for dictionary words. While we can't test that efficiently via JavaScript, we can test for repeating character classes. As such, I propose a fifth test.

/[a-z]{3,}|[A-Z]{3,}|[0-9]{3,}|[^a-zA-Z0-9]{3,}/

This regular expression matches if it finds any grouping of character classes ("asdf", "123", etc) and reduces its score in the Drupal.evaluatePasswordStrength function.

FiReaNGeL’s picture

FiReaNGeL commented

I think what Dries wanted is comments in the actual code, not in the issue

catch’s picture

catch
he/him
Primary language English
commented
Status: Needs review » Needs work

Also, while rerolling, please roll the patch with cvs diff -up (unified diff format) - we're used to seeing -/+ rather than </>

Jooblay.net’s picture

Jooblay.net commented
Issue summary: View changes

What is the status of this ticket:) Can we close this...

frob’s picture

frob
Primary language English
commented

Leseen, I do not think so.

The patch needs to be rerolled with documentation.

diff -r1.9 user.js
>   var hasRecurring = password.match(/[a-z]{3,}|[A-Z]{3,}|[0-9]{3,}|[^a-zA-Z0-9]{3,}/);
  • The first tests for lower case characters (/[a-z]+/)
  • The second tests for upper case characters (/[A-Z]+/)
  • The third tests for numeric digits (/[0-9]+/)
  • The fourth tests for punctuation or symbols (/[^a-zA-Z0-9]+/)
diff -r1.9 user.js
>     case 5:

This should probably use some documentation as well. What is case 5:

Jooblay.net’s picture

Jooblay.net commented

Thanks for the update:)

mgifford’s picture

mgifford
he/him
Primary language English
commented
Version: 7.x-dev » 8.x-dev
Issue tags: +Security

This has to get into D8 first, right?

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Closed (works as designed)

@Brad Beattie, Thank you for the idea and the patch.

The proposal doesn't met the Criteria for evaluating proposed changes. In this case, there is not demonstrated demand and support for the change.