Solved

Force User to enter Complex password

Posted on 2007-11-21
7
1,060 Views
Last Modified: 2013-11-17
I am using Boralnd Builder 6 to make an application that requires a user login. Currently I am forcing the user to enter a password longer than 5 characters. But I would like to enfore a complex password to be entered is there any easy ways of checking this
0
Comment
Question by:enSynergy
7 Comments
 
LVL 25

Expert Comment

by:imitchie
ID: 20326947
use Local Security Policy in Administrative Tools
0
 
LVL 25

Expert Comment

by:imitchie
ID: 20326951
wrong post. pls ignore
0
 
LVL 16

Accepted Solution

by:
George Tokas earned 500 total points
ID: 20327512
First of all you have access to the password itself using: AnsiString S = EditBox->Text;
So you have the password to an AnsiString....
You can check the pressence of any special character using AnsiPos(substring,source)
The special characters you want to enforce using are in sertain increment positions of the ascii table...
So with a few loops you can check out if the rules you want to enforce applies...

George Tokas.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 25

Expert Comment

by:kode99
ID: 20354173
Out of interest here's what MS considers 'strong passwords',

http://support.microsoft.com/kb/161990/EN-US/

To implement this is fairly easy by creating a set of strings matching the groups of characters and then checking these groups agains each letter of the password.  Not a whole lot of looping to do.

Anyway heres a rough example to match the MS requirement,

 bool TForm1::PasswordCheck(AnsiString sPassword)
 {
  // so make your gouprings
   AnsiString Group1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   AnsiString Group2 = "abcdefghijklmnopqrstuvwxyz";
   AnsiString Group3 = "0123456789";
   AnsiString Group4 = "`~!@#$%^&*()_-+=|<>,.?";

   bool IsValid = true;
   int i = 1;
   int G1 = 0, G2 = 0, G3 = 0, G4 = 0;

  // scan password character contents and count valid characters
   while((i < (sPassword.Length()+1))&&(IsValid == true))
   {
     if(Group1.Pos(sPassword.SubString(i,1)) != 0)  G1++;
     if(Group2.Pos(sPassword.SubString(i,1)) != 0)  G2++;
     if(Group3.Pos(sPassword.SubString(i,1)) != 0)  G3++;
     if(Group4.Pos(sPassword.SubString(i,1)) != 0)  G4++;
     i++;
   }

  // Check for disqualification for length of 6 characters
  // or using invalid characters that are not in our groups
   if(((G1+G2+G3+G4) != sPassword.Length())
      ||(sPassword.Length() < 6))
    IsValid = false;

  // check for 3 out of the 4 groups being used as MS does
   if(G1 > 0) G1 = 1;
   if(G2 > 0) G2 = 1;
   if(G3 > 0) G3 = 1;
   if(G4 > 0) G4 = 1;

   if((G1+G2+G3+G4) < 3)
     IsValid = false;

  //check for username or other words,  could also check for previous
  //passwords or other words by looping through a string list.
  // just check user name - be sure to match the case so force lower or upper
  // for both the password and the username
   if(sPassword.LowerCase().Pos(<username>) != 0)
     IsValid = false;

   return IsValid;
 }

Worth noting that people can still do some pretty bad passwords even within this framework.  For example 'Hello1' or 'Hello!' would still pass as it has 3 of the 4 groups.  This could be caught with a word list check like the user name.  Something like 'He!!o.' is somewhat harder to catch though.
0
 
LVL 18

Expert Comment

by:JoseParrot
ID: 20364886
Hi,

As per kode99's effective comment, the rules for passwords are:
- Character must be in one of the 4 given sets
- Password must contain characters from at least 3 of such sets
- Password lenght must be at least 6 characters long
- optionally, already used passwords are refused
- optionally, passwords equal to a word in a given list are refused

Additionally, more rules can be applied also, like:
- No repeating characters allowed
      len = password lenght  
      for i=1, len-1
         for j=i+1, len
            if password[i] == password[j]
               then refuse password
- Requirement for a minimum or given number of characters of one or more sets.
  Example: must have at least two uppercase characters.
  In this case, as per kode99's code:
  in place of
      if(G1 > 0) G1 = 1;
  substitute by
      if(G1 <2) IsValid=false;    // refuse password
      else G1=1;

A simple tutorial is also available at
http://www.microsoft.com/protect/yourself/password/create.mspx

Those rules are a practical simplification of a REAL complex password.
For example, the simple string
    inhocsignovinces
will be refused, because it is only lowercase, but is a password very difficult to crack. But for sure requires a very complex code too!

Jose
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494389
Use a regex

* at least 8 characters
* at least one one lower case letter, one upper case letter, one digit and one special character
* characters -   @#$%^&+=


    ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494457
I keep forgetting that BCB doesnt include regex engine.
There's a ton out there, for instance: http://www.uptime.it/delphi/old/delregex.zip
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Account Lockouts 25 144
Ways to verify USB ports are blocked on 30,000 PCs/laptops 12 112
change password links 7 72
What is the Best Editor for PHP Development ? 5 62
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
The viewer will learn how to use and create keystrokes in Netbeans IDE 8.0 for Windows.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now