[ic] UserDB.pm Minor Feature Patch - username ne password

Thu Apr 8 17:39:53 EDT 2004

Following is a patch if there is interest in having [userdb]
reject password setting if the username and password are equal.
This can be useful for adding just a tad more security for site
visitors when creating a new account or changing a password.

The argument, user_pass_must_differ, takes a true/false value,
(but its name might be a bit long for some people's taste).

An example of it's use:
[if type=explicit compare="[userdb function=new_account 
user_pass_must_differ=1]"]
     ...(create account)...
[/if]
(Note: if someone does the above, they probably should make use
of the userminlen and passminlen arguments, as well.)

-John Young

-------- snip --------

--- UserDB.pm.orig	Sun Feb 29 21:59:07 2004
+++ UserDB.pm	Thu Apr  8 14:23:13 2004
@@ -1054,6 +1054,13 @@
  			die $stock_error, "\n";
  		}

+		# Fail if username and password are equal
+		if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq 
$self->{PASSWORD}) {
+			logError("Denied attempted login with password '%s' equal to user name",
+			$self->{PASSWORD});
+			die $stock_error, "\n";
+		}
+
  		# Allow entry to global AdminUser without checking access database
  		ADMINUSER: {
  			if ($Global::AdminUser) {
@@ -1350,6 +1357,9 @@
  		die errmsg("Password and check value don't match.") . "\n"
  			unless $self->{PASSWORD} eq $self->{VERIFY};

+		die errmsg("Password must differ from username.") . "\n"
+			if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq 
$self->{PASSWORD});
+
  		if($self->{CRYPT}) {
  				if($self->{OPTIONS}{md5}) {
  					$self->{PASSWORD} = generate_key($self->{PASSWORD});
@@ -1455,6 +1465,8 @@
  			if length($self->{PASSWORD}) < $self->{PASSMINLEN};
  		die errmsg("Password and check value don't match.") . "\n"
  			unless $self->{PASSWORD} eq $self->{VERIFY};
+		die errmsg("Password must differ from username.") . "\n"
+			if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq 
$self->{PASSWORD});

  		if ($self->{OPTIONS}{ignore_case}) {
  			$self->{PASSWORD} = lc $self->{PASSWORD};

