vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 2.x Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=4)
-   -   Advanced Password Rules (https://vborg.vbsupport.ru/showthread.php?t=41424)

Logician 07-22-2002 10:00 PM

Advanced Password Rules
 
This hack allows you to set advanced rules for user passwords to increase member account security. You can enable/disable:
  • The password cant be same with username
  • The password cant be shorter than X characters
  • The password must include both numbers and letters
  • The password cant be all consecutive like 111111 or aaaaaa
  • The password cant be years (eg. birth years) or the character sets you banned like 'qwerty' or '0000'
individually. Advanced password rules apply to new registering members and existing members who change their passwords.

The hack is Admin CP integrated so you can configure its options inside your Admin CP. (See screenshots below) It's compatible with all VB versions I know, feel free to try..

I coded this hack as a part of my "Advanced Board Protection Hack" (not released yet), however it become too complex, so I seperated this and make it an independent hack.

Click INSTALL if you install the hack, thx.

Enjoy...

Logician \\=^))

Logician 07-23-2002 02:44 PM

Screenshot:

(Admin CP Settings Page where you configure your password rules)

Xenon 07-23-2002 02:50 PM

another great hack by you pal

/me thinks to nominate it a hack of the month

Lesane 07-23-2002 02:58 PM

Great work Logician

Chris M 07-23-2002 03:09 PM

Brilliant:)

Just a Question : You know that characters like "11111111" cant be used...

How about a password of the format :

LLLnnNNN (LLL are different letters, nn is the same number, NNN are other numbers)

Would the two "nn" numbers be blocked if you are using the Consecutive feature? (i.e. abc11234)

Satan

Neo 07-23-2002 04:32 PM

nice one.

EchoHype.com 07-23-2002 04:37 PM

Nice hack!

Floris 07-23-2002 04:47 PM

Great hack, applying to localboard first and testing it to the max to see if it still has an easy of use for the end-user.

Logician 07-23-2002 06:06 PM

@hellsatan:

Quote:

Would the two "nn" numbers be blocked if you are using the Consecutive feature? (i.e. abc11234)
Nope it's not. Hack only stops (if set to do so) when all chars are same. So password "11111111" is not allowed while "111111110" or "011111111" or "111101111" are permitted..

@xiphoid: please return me your test results and some feedback. I have tested it in 3 different boards and using it in my real board without any problems but I can always use some feedback especially from power-users like yourself, thx :)

@rest: thx for the nice comments.. enjoy..

inetd 07-23-2002 06:07 PM

Logician, really the best hackers!
Good idea!!!
Really hack of month!

Velocd 07-23-2002 06:15 PM

pro :)
not sure about hack of the month, but it's still very useful.

Chris M 07-23-2002 06:32 PM

Thanks Logican!:)

Satan

Boofo 07-24-2002 12:20 AM

Will this hack work with bira's "Send Random Password Instead of Activation Code (v2.0)" hack?

DrkFusion 07-24-2002 01:34 AM

Nice work man, keep it up

Drk

Logician 07-24-2002 08:27 AM

Quote:

Originally posted by Boofo
Will this hack work with bira's "Send Random Password Instead of Activation Code (v2.0)" hack?
I havent used Bira's hack but if it is not modifying "register.php" or "member.php" (which is very unlikely), yes they would work together without any problems..

Boofo 07-24-2002 08:48 AM

It sends users a random password rather than an Activation Code when they register. It does modfiy the member.php in the editprofile section. Not safe to use then, I take it? :)

Quote:

Originally posted by Logician

I havent used Bira's hack but if it is not modifying "register.php" or "member.php" (which is very unlikely), yes they would work together without any problems..


Logician 07-24-2002 10:42 AM

Quote:

Originally posted by Boofo
It sends users a random password rather than an Activation Code when they register. It does modfiy the member.php in the editprofile section. Not safe to use then, I take it? :)

I dont think so.. My hack modifies "updatepassword" section of member.php. If Bira hacks does not touch that part (I cant see a reason it will touch it), you can use them together..

Boofo 07-24-2002 11:22 AM

Ok, I instaklled it and have a question or two.

Here's the code you said to look for:

PHP Code:

4edit register.phpfind:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  if (
$password!=$passwordconfirm) {
    eval(
"standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  } 

Here's the code from bira's hack:


PHP Code:

 // Send Random Password Instead of Activation Code (v2.0)
if ($randpassword=="0" and $password!=$passwordconfirm) {
// Send Random Password Instead of Activation Code (v2.0)

    
eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  } 

The member.php file had bira's hack in the update password part but it didn't look like it affected your code. I'm not sure though. :)

Also, I have a question about the wording in the Admin CP.

Quote:

User password cant be same with username?
Does yes mean it CAN't be the same or does no mean that?

Quote:

Password Complexity
Password can NOT be birthyears or custom ones you set below
Same with this one.

I just want to be 100 percent sure I'm not setting something wrong. :)

Logician 07-24-2002 03:09 PM

Quote:

Originally posted by Boofo
The member.php file had bira's hack in the update password part but it didn't look like it affected your code. I'm not sure though. :)

It is ok, you can add my code after Bira's code, they wont clash..


Quote:

Does yes mean it CAN't be the same or does no mean that?
If you set it to YES, password can not be same with username.. So to disable this check set it to NO..

Same applies to "Password Complexity": Yes enables it, while NO disables the check..

Quote:

I just want to be 100 percent sure I'm not setting something wrong. :)
Sure thing hehe

Boofo 07-24-2002 03:14 PM

Thank you, sir! :)

globalwin 07-24-2002 04:06 PM

Logician: Can you please make me an uninstall file for the install file you made because I want to cleanly uninstall this hack.

Thanks, :)

Logician 07-24-2002 04:20 PM

Quote:

Originally posted by globalwin
Logician: Can you please make me an uninstall file for the install file you made because I want to cleanly uninstall this hack.

Thanks, :)

globalwin, it does not harm you if you leave it intact but not use it. So if you disable options in the Admin CP, the hack will be disabled automatically. You can also delete text editing section from member.php and register.php and the hack will again be disabled.

But if you want to delete the hack from your the database section anyway you need to edit 2 tables via PHPmyAdmin or any other SQL tools. (once again: this is not necessary!) You need to edit 2 tables in your database:

1- edit table "settinggroup" and delete the record where title = "Advanced Password Rules". It will be probably the last record in the table..

2- Edit table "setting" and delete 6 records (again probably will be the last 6) with varnames= bbuser_pass_same_name, bbmin_pass_length, bbpassword_alphanum_check, bbpassword_repetitive, bbpassword_complexity and bbp_basic_unallowed

Backup db before taking actions just in case..

Xenon 07-24-2002 04:25 PM

you can also open your admin/config.php and add $debug=1; into it.

then go to your acp and you see new options in the navmenu. click on edit settings and then remove the settings for this hack

be sure after doing so to set $debug=0; again

alibaba 09-05-2002 03:03 AM

help me!

add hack OK but register new not active

kreatiV 10-26-2002 06:04 PM

I wonder if this hack can be extended?

1.) Force a Password change every XX Days ( configured via AdminCP )

2.) Force Password change - NOW - meaning on the next login the users have to change their password.

3.) Countdown 3 days before the password must be changed, saying something like " In 3 days you have to change your password - change it now? " " In 2 days, etc. "

4.) DeluxeVersion: store last 10 passwords and do not let user use any of those 10 Passwords.

Can this be done? I think it would be a nice security addon....

Bison 11-01-2002 02:20 PM

Gonna give this a try ...

Chris M 11-01-2002 02:56 PM

@kreatiV - 10 last passwords? Some people, like myself, dont have that many passwords, and they may forget new ones they have to make...

Why not the last 3?

Satan

kreatiV 11-01-2002 03:50 PM

Okay, last 3 is okay as well ;)

nugfoo 03-26-2003 05:06 PM

What about enforcing the use of non-alphanumeric characters? I don't see an option for that. Could it be added?

Thanks! Great work!

Mr. Brian 03-27-2003 05:32 AM

Great work! Logician ".) :lick:

Night Owl 07-25-2003 08:59 PM

Will this work on version 2.3.0?

This would be PERFECT for my board!

Logician 07-25-2003 09:05 PM

yes it should work on 2.3.0.. :)

Night Owl 07-25-2003 09:45 PM

OK. I just installed this. Everything is working...

Except the template. When I put a birthdate in as a password, it sends me to the advanced pasword rules template, but there is nothing there. I have checked the templates on both my template sets and they are both populated.

Attached is a screenshot:

Night Owl 07-25-2003 09:45 PM

I also went back to the instructions and reread them, but I can't see where I missed doing anything. wugh.

Night Owl 07-25-2003 10:36 PM

Nevermind. I figured it out. Somehow. lol

Mu5icMan 10-10-2003 08:28 AM

i would like some advice please. On our vbulletin we use .php3. In the APR_install.php would i need to rename it to APR_install.php3 and all content inside to *.php3. also this piece of code i'm not sure of inside this file. Where does this go konukdefteri.php and do i need to change the extension of that to php3 aswel.

Logician 10-10-2003 12:29 PM

Quote:

Originally Posted by Mu5icMan
i would like some advice please. On our vbulletin we use .php3. In the APR_install.php would i need to rename it to APR_install.php3 and all content inside to *.php3. also this piece of code i'm not sure of inside this file. Where does this go konukdefteri.php and do i need to change the extension of that to php3 aswel.

1- First change finename to "APR_install.php3"
2- Edit file and change line include("./global.php"); to include("./global.php3");
3- And line $file_name="APR_install.php"; to $file_name="APR_install.php3";

You don't need to make anychanges. konukdefteri.php is an obselete code which does not run anyway. It should work ok after these 3 changes.

Mu5icMan 10-10-2003 12:40 PM

cheers, Logician, you da man

AKosygin 10-12-2003 08:55 PM

Logician,

Good work! Keep those users from complaining about their account being hacked. (hate it when it is a PEBKAC issue).

Just a minor nitpick, it is "DISALLOWED" not "UNALLOWED". Might want to fix that minor error.

As for the template, most of you can probably make your life a little easier by taking the global variables of the hack and put it in as part of your error message template, like:
Code:

The password you have entered does not meet the password complexity requirements as set by the system administrator. Please go back and ensure that your password meets the complexity requirements.
<br>
<br>
Your password must be at least $bbmin_pass_length characters long, and can not be repeating letters or numbers, and can not be your username.

By using $bbmin_pass_length in your error message template, the number of characters long will be displayed and change according to what you have set in your admin CP options. So you don't need to go back to edit the template everytime you change the settings.

Logician may also want to adjust a few of those variables, or introduce an "enhanced" hack to allow those variables to be passed as "Yes" or "No" text string, so people can just put in the variables at the template and will automatically change with the settings.

Mu5icMan 10-13-2003 08:32 AM

when i eventually get around to putting this hack on what will happen to the current passwords.


All times are GMT. The time now is 10:29 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01561 seconds
  • Memory Usage 1,828KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_php_printable
  • (11)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (40)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete