smeagol2009 Posted April 7, 2009 Share Posted April 7, 2009 Struggling with this one, as part of achieving full PCI compliance we are required to implement a strong password policy that forces customers to choose a complex password when creating an account. Ie. Must use @ - ! + UPPERCASE lowercase etc. etc. Does anyone know how I can achive this? Any help welcomed. I have searched google and these forums for hours btw :P Thanks Link to comment Share on other sites More sharing options...
germ Posted April 7, 2009 Share Posted April 7, 2009 I'll do a little codimg for you. I just need to know all the requiremenats. Must use UPPER and lower case, I got that much. Just spell out clearly all the other requirements and I'll cook something up for you. ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
smeagol2009 Posted April 7, 2009 Author Share Posted April 7, 2009 Hi Jim, Thats so very kind of you :) It only needs to be basic, just to satisfy the auditor - perhaps just include a special character? Thanks very much :) I'll do a little codimg for you. I just need to know all the requiremenats. Must use UPPER and lower case, I got that much. Just spell out clearly all the other requirements and I'll cook something up for you. ;) Link to comment Share on other sites More sharing options...
germ Posted April 8, 2009 Share Posted April 8, 2009 At the top of /catalog/create_account.php AFTER this code: if (strlen($password) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_ERROR); } elseif ($password != $confirmation) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_ERROR_NOT_MATCHING); } ADD this code: // bof extra password validation $number = false; // digit 0 thru 9 $upper = false; // uppercase A thru Z $lower = false; // lowercase a thru z $special = false; // anything not matching the above for ( $i = 0; $i < strlen($password); $i++ ) { if ( is_numeric( substr($password, $i ,1 ) ) ) { $number = true; } elseif ( ereg( '[A-Z]', substr($password, $i ,1 ) ) ) { $upper = true; } elseif ( ereg( '[a-z]' , substr($password, $i ,1 ) ) ) { $lower = true; } else { $special = true; } if ( $number && $upper && $lower && $special ) { break; } } if ( ! ($number && $upper && $lower && $special) ) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_INVALID); } // eof extra password validation At the top of /catalog/account_password.php AFTER this code: if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR); } elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR); } elseif ($password_new != $password_confirmation) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING); } ADD this code: // bof extra password validation $number = false; // digit 0 thru 9 $upper = false; // uppercase A thru Z $lower = false; // lowercase a thru z $special = false; // anything not matching the above for ( $i = 0; $i < strlen($password_new); $i++ ) { if ( is_numeric( substr($password_new, $i ,1 ) ) ) { $number = true; } elseif ( ereg( '[A-Z]', substr($password_new, $i ,1 ) ) ) { $upper = true; } elseif ( ereg( '[a-z]' , substr($password_new, $i ,1 ) ) ) { $lower = true; } else { $special = true; } if ( $number && $upper && $lower && $special ) { break; } } if ( ! ($number && $upper && $lower && $special) ) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_INVALID); } // eof extra password validation Then in /catalog/includes/languages/english.php ADD this: define('ENTRY_PASSWORD_INVALID', 'Your Password must contain an uppercase, lowercase, numeric digit, and a special character.'); (Customize to suit). This forces the password to contain at least one character from: 1. Digits 0 thru 9 2. Upper case letters A thru Z 3. Lower case letters a thru z 4. Any character NOT found in the 3 previous BACKUP ALL FILES INVOLVED BEFORE MAKING ANY EDITS. I've tested this and it seems to work. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
smeagol2009 Posted April 8, 2009 Author Share Posted April 8, 2009 Thank you so, so much Jim, your code works perfectly :) I also like the way you ave written the code, Iam able to make modifications, or rather reduce the requirements - I think I'll probably just make the using a special character the requirement. I really appreciate you taking the time to help me out with this, let me know if there is anyting I can do in return - I'm actually a graphic designer by trade :P Thanks again :) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.