Added system option to configure minimum password strength and length

Author: Marius Cramer

install/tpl/system.ini.master

@@ -51,3 +51,5 @@ customer_no_start=1
 customer_no_counter=0
 session_timeout=0
 session_allow_endless=0
+min_password_length=5
+min_password_strength=0

interface/lib/classes/validate_password.inc.php

@@ -0,0 +1,121 @@
+<?php
+
+/*
+Copyright (c) 2007, Till Brehm, projektfarm Gmbh
+Copyright (c) 2014, Marius Cramer, pixcept KG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class validate_password {
+	
+	private function _get_password_strength($password) {
+		$length = strlen($password);
+		$points = 0;
+		if ($length < 5) {
+			return 1;
+		}
+
+		if (preg_match('/[ABCDEFGHIJKLNMOPQRSTUVWXYZ]/', $password)) {
+			$points += 1;
+		}
+
+		if (preg_match('/[0123456789]/', $password)) {
+			$points += 1;
+		}
+
+		if (preg_match('/[`~!@#$%^&*()_+|\\=-[]}{\';:\/?.>,<" ]/', $password)) {
+			$points += 1;
+		}
+
+		if ($points == 0) {
+			if ($length >= 5 && $length <= 6) {
+				return 1;
+			} else if ($length >= 7 && $length <= 8) {
+				return 2;
+			} else {
+				return 3;
+			}
+		} else if ($points == 1) {
+			if ($length >= 5 && $length <= 6) {
+				return 2;
+			} else if (length >= 7 && length <=10) {
+				return 3;
+			} else {
+				return 4;
+			}
+		} else if ($points == 2) {
+			if ($length >= 5 && $length <= 8) {
+				return 3;
+			} else if ($length >= 9 && $length <= 10) {
+				return 4;
+			} else {
+				return 5;
+			}
+		} else if ($points == 3) {
+			if ($length >= 5 && $length <= 6) {
+				return 3;
+			} else if ($length >= 7 && $length <= 8) {
+				return 4;
+			} else {
+				return 5;
+			}
+		} else if ($points >= 4) {
+			if ($length >= 5 && $length <= 6) {
+				return 4;
+			} else {
+				return 5;
+			}
+		}
+		
+	}
+	
+	/* Validator function */
+	function password_check($field_name, $field_value, $validator) {
+		global $app;
+		
+		$app->uses('ini_parser,getconf');
+		$server_config_array = $app->getconf->get_global_config();
+		
+		$min_password_strength = 0;
+		$min_password_length = 5;
+		if(isset($server_config_array['misc']['min_password_length'])) $min_password_length = $server_config_array['misc']['min_password_length'];
+		if(isset($server_config_array['misc']['min_password_strength'])) $min_password_strength = $server_config_array['misc']['min_password_strength'];
+		
+		if($min_password_strength > 0) {
+			$lng_text = $app->lng('weak_password_txt');
+			$lng_text = str_replace(array('{chars}', '{strength}'), array($min_password_length, $app->lng('strength_' . $min_password_strength)), $lng_text);
+		} else {
+			$lng_text = $app->lng('weak_password_length_txt');
+			$lng_text = str_replace('{chars}', $min_password_length, $lng_text);
+		}
+		if(!$lng_text) $lng_text = 'weak_password_txt'; // always return a string, even if language is missing - otherwise validator is NOT MATCHING!
+		
+		if(strlen($field_value) < $min_password_length) return $lng_text;
+		if($this->_get_password_strength($field_value) < $min_password_strength) return $lng_text;
+		
+		return false;
+	}
+}

interface/lib/lang/de.lng

@@ -139,4 +139,12 @@ $wb['gender_f_txt'] = 'Frau';
 $wb['client_cannot_be_deleted_because_of_billing_module_txt'] = 'Für den Kunden existieren Einträge im Billing-Modul, daher kann er nicht gelöscht werden.';
 $wb['yes_txt'] = 'Ja';
 $wb['no_txt'] = 'Nein';
+$wb['None'] = 'Keine';
+$wb['strength_1'] = 'Leicht';
+$wb['strength_2'] = 'Mittel';
+$wb['strength_3'] = 'Gut';
+$wb['strength_4'] = 'Stark';
+$wb['strength_5'] = 'Sehr stark';
+$wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke "{strength}" besitzen.';
+$wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.';
 ?>

interface/lib/lang/en.lng

@@ -141,4 +141,13 @@ $wb['gender_f_txt'] = 'Ms.';
 $wb['client_cannot_be_deleted_because_of_billing_module_txt'] = 'This client has records in the billing module, therefore he cannot be deleted.';
 $wb['yes_txt'] = 'Yes';
 $wb['no_txt'] = 'No';
+$wb['None'] = 'None';
+$wb['strength_1'] = 'Weak';
+$wb['strength_2'] = 'Fair';
+$wb['strength_3'] = 'Good';
+$wb['strength_4'] = 'Strong';
+$wb['strength_5'] = 'Very Strong';
+$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".';
+$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+
 ?>

interface/web/admin/form/remote_user.tform.php

@@ -101,6 +101,14 @@
 		'remote_password' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'PASSWORD',
+			'validators' => array(
+				0 => array(
+					'type' => 'CUSTOM',
+					'class' => 'validate_password',
+					'function' => 'password_check',
+					'errmsg' => 'weak_password_txt'
+				)
+			),
 			'encryption' => 'MD5',
 			'default' => '',
 			'value'  => '',

interface/web/admin/form/system_config.tform.php

@@ -487,6 +487,20 @@
 			'default' => 'n',
 			'value'  => array(0 => 'n', 1 => 'y')
 		),
+		'min_password_length' => array(
+			'datatype' => 'INTEGER',
+			'formtype' => 'TEXT',
+			'default' => '5',
+			'value'  => '',
+			'width'  => '30',
+			'maxlength' => '255'
+		),
+		'min_password_strength' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'SELECT',
+			'default' => '',
+			'value'  => array('' => 'None', '1' => 'strength_1', '2' => 'strength_2', '3' => 'strength_3', '4' => 'strength_4', '5' => 'strength_5')
+		)
 		//#################################
 		// ENDE Datatable fields
 		//#################################

interface/web/admin/form/users.tform.php

@@ -164,6 +164,14 @@
 		'passwort' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'PASSWORD',
+			'validators' => array(
+				0 => array(
+					'type' => 'CUSTOM',
+					'class' => 'validate_password',
+					'function' => 'password_check',
+					'errmsg' => 'weak_password_txt'
+				)
+			),
 			'encryption'    => 'CRYPT',
 			'regex'  => '',
 			'errmsg' => '',

interface/web/admin/lib/lang/de_system_config.lng

@@ -66,4 +66,6 @@ $wb['customer_no_counter_txt'] = 'Kundennummer Zähler';
 $wb['session_timeout_txt'] = 'Session-Timeout (Minuten)';
 $wb['session_allow_endless_txt'] = '"Eingeloggt bleiben" aktivieren';
 $wb['No'] = 'Nein';
+$wb['min_password_length_txt'] = 'Minimale Passwortlänge';
+$wb['min_password_strength_txt'] = 'Minimale Passwortstärke';
 ?>

interface/web/admin/lib/lang/en_system_config.lng

@@ -66,4 +66,6 @@ $wb['customer_no_counter_txt'] = 'Customer No. counter';
 $wb['session_timeout_txt'] = 'Session timeout (minutes)';
 $wb['session_allow_endless_txt'] = 'Enable "stay logged in"';
 $wb['No'] = 'No';
+$wb['min_password_length_txt'] = 'Minimum password length';
+$wb['min_password_strength_txt'] = 'Minimum password strength';
 ?>

interface/web/admin/templates/system_config_misc_edit.htm

@@ -90,6 +90,16 @@ <h2><tmpl_var name="list_head_txt"></h2>
                 <div class="multiField">
                     {tmpl_var name='session_allow_endless'}
                 </div>
+            </div>
+            <div class="ctrlHolder">
+                <label for="min_password_length">{tmpl_var name='min_password_length_txt'}</label>
+                <input name="min_password_length" id="min_password_length" value="{tmpl_var name='min_password_length'}" size="30" maxlength="255" type="text" class="textInput" />
+            </div>
+            <div class="ctrlHolder">
+                <label for="min_password_strength">{tmpl_var name='min_password_strength_txt'}</label>
+                <select name="min_password_strength" id="min_password_strength" class="selectInput formLengthHalf">
+                    {tmpl_var name='min_password_strength'}
+                </select>
             </div>
 			<div class="ctrlHolder">
                 <p class="label">{tmpl_var name='maintenance_mode_txt'}</p>