Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Force Strong Customer Password


smeagol2009

Recommended Posts

Struggling with this one, as part of achieving full PCI compliance we are required to implement a strong password policy that forces customers to choose a complex password when creating an account. Ie. Must use @ - ! + UPPERCASE lowercase etc. etc.

 

Does anyone know how I can achive this? Any help welcomed.

 

I have searched google and these forums for hours btw :P

 

Thanks

Link to comment
Share on other sites

I'll do a little codimg for you.

 

I just need to know all the requiremenats.

 

Must use UPPER and lower case, I got that much.

 

Just spell out clearly all the other requirements and I'll cook something up for you.

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi Jim,

 

Thats so very kind of you :)

 

It only needs to be basic, just to satisfy the auditor - perhaps just include a special character?

 

Thanks very much :)

 

 

 

 

I'll do a little codimg for you.

 

I just need to know all the requiremenats.

 

Must use UPPER and lower case, I got that much.

 

Just spell out clearly all the other requirements and I'll cook something up for you.

;)

Link to comment
Share on other sites

At the top of /catalog/create_account.php AFTER this code:

 

	if (strlen($password) < ENTRY_PASSWORD_MIN_LENGTH) {
  $error = true;

  $messageStack->add('create_account', ENTRY_PASSWORD_ERROR);
} elseif ($password != $confirmation) {
  $error = true;

  $messageStack->add('create_account', ENTRY_PASSWORD_ERROR_NOT_MATCHING);
}

ADD this code:

 

// bof extra password validation

$number = false;  // digit 0 thru 9
$upper = false;   // uppercase A thru Z
$lower = false;   // lowercase a thru z
$special = false; // anything not matching the above

for ( $i = 0; $i  < strlen($password); $i++ ) {
  if ( is_numeric( substr($password, $i ,1 ) ) ) {
	$number = true;
  } elseif ( ereg( '[A-Z]', substr($password, $i ,1 ) ) ) {
	$upper = true;
  } elseif ( ereg( '[a-z]' , substr($password, $i ,1 ) ) ) {
	$lower = true;
  } else {
	$special = true;
  }
  if ( $number && $upper && $lower && $special ) {
	break;
  }
}
if ( ! ($number && $upper && $lower && $special) ) {
  $error = true;

  $messageStack->add('create_account', ENTRY_PASSWORD_INVALID);
}

// eof extra password validation

At the top of /catalog/account_password.php AFTER this code:

 

	if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) {
  $error = true;

  $messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR);
} elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) {
  $error = true;

  $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR);
} elseif ($password_new != $password_confirmation) {
  $error = true;

  $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING);
}

ADD this code:

 

// bof extra password validation

$number = false;  // digit 0 thru 9
$upper = false;   // uppercase A thru Z
$lower = false;   // lowercase a thru z
$special = false; // anything not matching the above

for ( $i = 0; $i  < strlen($password_new); $i++ ) {
  if ( is_numeric( substr($password_new, $i ,1 ) ) ) {
	$number = true;
  } elseif ( ereg( '[A-Z]', substr($password_new, $i ,1 ) ) ) {
	$upper = true;
  } elseif ( ereg( '[a-z]' , substr($password_new, $i ,1 ) ) ) {
	$lower = true;
  } else {
	$special = true;
  }
  if ( $number && $upper && $lower && $special ) {
	break;
  }
}
if ( ! ($number && $upper && $lower && $special) ) {
  $error = true;

  $messageStack->add('account_password', ENTRY_PASSWORD_INVALID);
}

// eof extra password validation

Then in /catalog/includes/languages/english.php ADD this:

 

define('ENTRY_PASSWORD_INVALID', 'Your Password must contain an uppercase, lowercase, numeric digit, and a special character.');

(Customize to suit).

 

This forces the password to contain at least one character from:

 

1. Digits 0 thru 9

2. Upper case letters A thru Z

3. Lower case letters a thru z

4. Any character NOT found in the 3 previous

 

BACKUP ALL FILES INVOLVED BEFORE MAKING ANY EDITS.

 

I've tested this and it seems to work.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thank you so, so much Jim, your code works perfectly :)

 

I also like the way you ave written the code, Iam able to make modifications, or rather reduce the requirements - I think I'll probably just make the using a special character the requirement.

 

I really appreciate you taking the time to help me out with this, let me know if there is anyting I can do in return - I'm actually a graphic designer by trade :P

 

Thanks again :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...