[ic] UserDB.pm Minor Feature Patch - username ne password
John Young
john_young at sonic.net
Thu Apr 8 17:39:53 EDT 2004
Following is a patch if there is interest in having [userdb]
reject password setting if the username and password are equal.
This can be useful for adding just a tad more security for site
visitors when creating a new account or changing a password.
The argument, user_pass_must_differ, takes a true/false value,
(but its name might be a bit long for some people's taste).
An example of it's use:
[if type=explicit compare="[userdb function=new_account
user_pass_must_differ=1]"]
...(create account)...
[/if]
(Note: if someone does the above, they probably should make use
of the userminlen and passminlen arguments, as well.)
-John Young
-------- snip --------
--- UserDB.pm.orig Sun Feb 29 21:59:07 2004
+++ UserDB.pm Thu Apr 8 14:23:13 2004
@@ -1054,6 +1054,13 @@
die $stock_error, "\n";
}
+ # Fail if username and password are equal
+ if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq
$self->{PASSWORD}) {
+ logError("Denied attempted login with password '%s' equal to user name",
+ $self->{PASSWORD});
+ die $stock_error, "\n";
+ }
+
# Allow entry to global AdminUser without checking access database
ADMINUSER: {
if ($Global::AdminUser) {
@@ -1350,6 +1357,9 @@
die errmsg("Password and check value don't match.") . "\n"
unless $self->{PASSWORD} eq $self->{VERIFY};
+ die errmsg("Password must differ from username.") . "\n"
+ if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq
$self->{PASSWORD});
+
if($self->{CRYPT}) {
if($self->{OPTIONS}{md5}) {
$self->{PASSWORD} = generate_key($self->{PASSWORD});
@@ -1455,6 +1465,8 @@
if length($self->{PASSWORD}) < $self->{PASSMINLEN};
die errmsg("Password and check value don't match.") . "\n"
unless $self->{PASSWORD} eq $self->{VERIFY};
+ die errmsg("Password must differ from username.") . "\n"
+ if ($self->{OPTIONS}{user_pass_must_differ} && $self->{USERNAME} eq
$self->{PASSWORD});
if ($self->{OPTIONS}{ignore_case}) {
$self->{PASSWORD} = lc $self->{PASSWORD};
More information about the interchange-users
mailing list