Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1074
  • Last Modified:

Force User to enter Complex password

I am using Boralnd Builder 6 to make an application that requires a user login. Currently I am forcing the user to enter a password longer than 5 characters. But I would like to enfore a complex password to be entered is there any easy ways of checking this
0
enSynergy
Asked:
enSynergy
1 Solution
 
imitchieCommented:
use Local Security Policy in Administrative Tools
0
 
imitchieCommented:
wrong post. pls ignore
0
 
George TokasCommented:
First of all you have access to the password itself using: AnsiString S = EditBox->Text;
So you have the password to an AnsiString....
You can check the pressence of any special character using AnsiPos(substring,source)
The special characters you want to enforce using are in sertain increment positions of the ascii table...
So with a few loops you can check out if the rules you want to enforce applies...

George Tokas.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
kode99Commented:
Out of interest here's what MS considers 'strong passwords',

http://support.microsoft.com/kb/161990/EN-US/

To implement this is fairly easy by creating a set of strings matching the groups of characters and then checking these groups agains each letter of the password.  Not a whole lot of looping to do.

Anyway heres a rough example to match the MS requirement,

 bool TForm1::PasswordCheck(AnsiString sPassword)
 {
  // so make your gouprings
   AnsiString Group1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   AnsiString Group2 = "abcdefghijklmnopqrstuvwxyz";
   AnsiString Group3 = "0123456789";
   AnsiString Group4 = "`~!@#$%^&*()_-+=|<>,.?";

   bool IsValid = true;
   int i = 1;
   int G1 = 0, G2 = 0, G3 = 0, G4 = 0;

  // scan password character contents and count valid characters
   while((i < (sPassword.Length()+1))&&(IsValid == true))
   {
     if(Group1.Pos(sPassword.SubString(i,1)) != 0)  G1++;
     if(Group2.Pos(sPassword.SubString(i,1)) != 0)  G2++;
     if(Group3.Pos(sPassword.SubString(i,1)) != 0)  G3++;
     if(Group4.Pos(sPassword.SubString(i,1)) != 0)  G4++;
     i++;
   }

  // Check for disqualification for length of 6 characters
  // or using invalid characters that are not in our groups
   if(((G1+G2+G3+G4) != sPassword.Length())
      ||(sPassword.Length() < 6))
    IsValid = false;

  // check for 3 out of the 4 groups being used as MS does
   if(G1 > 0) G1 = 1;
   if(G2 > 0) G2 = 1;
   if(G3 > 0) G3 = 1;
   if(G4 > 0) G4 = 1;

   if((G1+G2+G3+G4) < 3)
     IsValid = false;

  //check for username or other words,  could also check for previous
  //passwords or other words by looping through a string list.
  // just check user name - be sure to match the case so force lower or upper
  // for both the password and the username
   if(sPassword.LowerCase().Pos(<username>) != 0)
     IsValid = false;

   return IsValid;
 }

Worth noting that people can still do some pretty bad passwords even within this framework.  For example 'Hello1' or 'Hello!' would still pass as it has 3 of the 4 groups.  This could be caught with a word list check like the user name.  Something like 'He!!o.' is somewhat harder to catch though.
0
 
Jose ParrotGraphics ExpertCommented:
Hi,

As per kode99's effective comment, the rules for passwords are:
- Character must be in one of the 4 given sets
- Password must contain characters from at least 3 of such sets
- Password lenght must be at least 6 characters long
- optionally, already used passwords are refused
- optionally, passwords equal to a word in a given list are refused

Additionally, more rules can be applied also, like:
- No repeating characters allowed
      len = password lenght  
      for i=1, len-1
         for j=i+1, len
            if password[i] == password[j]
               then refuse password
- Requirement for a minimum or given number of characters of one or more sets.
  Example: must have at least two uppercase characters.
  In this case, as per kode99's code:
  in place of
      if(G1 > 0) G1 = 1;
  substitute by
      if(G1 <2) IsValid=false;    // refuse password
      else G1=1;

A simple tutorial is also available at
http://www.microsoft.com/protect/yourself/password/create.mspx

Those rules are a practical simplification of a REAL complex password.
For example, the simple string
    inhocsignovinces
will be refused, because it is only lowercase, but is a password very difficult to crack. But for sure requires a very complex code too!

Jose
0
 
CayceCommented:
Use a regex

* at least 8 characters
* at least one one lower case letter, one upper case letter, one digit and one special character
* characters -   @#$%^&+=


    ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
0
 
CayceCommented:
I keep forgetting that BCB doesnt include regex engine.
There's a ton out there, for instance: http://www.uptime.it/delphi/old/delregex.zip
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now