Solved

Force User to enter Complex password

Posted on 2007-11-21
7
1,063 Views
Last Modified: 2013-11-17
I am using Boralnd Builder 6 to make an application that requires a user login. Currently I am forcing the user to enter a password longer than 5 characters. But I would like to enfore a complex password to be entered is there any easy ways of checking this
0
Comment
Question by:enSynergy
7 Comments
 
LVL 25

Expert Comment

by:imitchie
ID: 20326947
use Local Security Policy in Administrative Tools
0
 
LVL 25

Expert Comment

by:imitchie
ID: 20326951
wrong post. pls ignore
0
 
LVL 16

Accepted Solution

by:
George Tokas earned 500 total points
ID: 20327512
First of all you have access to the password itself using: AnsiString S = EditBox->Text;
So you have the password to an AnsiString....
You can check the pressence of any special character using AnsiPos(substring,source)
The special characters you want to enforce using are in sertain increment positions of the ascii table...
So with a few loops you can check out if the rules you want to enforce applies...

George Tokas.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 25

Expert Comment

by:kode99
ID: 20354173
Out of interest here's what MS considers 'strong passwords',

http://support.microsoft.com/kb/161990/EN-US/

To implement this is fairly easy by creating a set of strings matching the groups of characters and then checking these groups agains each letter of the password.  Not a whole lot of looping to do.

Anyway heres a rough example to match the MS requirement,

 bool TForm1::PasswordCheck(AnsiString sPassword)
 {
  // so make your gouprings
   AnsiString Group1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   AnsiString Group2 = "abcdefghijklmnopqrstuvwxyz";
   AnsiString Group3 = "0123456789";
   AnsiString Group4 = "`~!@#$%^&*()_-+=|<>,.?";

   bool IsValid = true;
   int i = 1;
   int G1 = 0, G2 = 0, G3 = 0, G4 = 0;

  // scan password character contents and count valid characters
   while((i < (sPassword.Length()+1))&&(IsValid == true))
   {
     if(Group1.Pos(sPassword.SubString(i,1)) != 0)  G1++;
     if(Group2.Pos(sPassword.SubString(i,1)) != 0)  G2++;
     if(Group3.Pos(sPassword.SubString(i,1)) != 0)  G3++;
     if(Group4.Pos(sPassword.SubString(i,1)) != 0)  G4++;
     i++;
   }

  // Check for disqualification for length of 6 characters
  // or using invalid characters that are not in our groups
   if(((G1+G2+G3+G4) != sPassword.Length())
      ||(sPassword.Length() < 6))
    IsValid = false;

  // check for 3 out of the 4 groups being used as MS does
   if(G1 > 0) G1 = 1;
   if(G2 > 0) G2 = 1;
   if(G3 > 0) G3 = 1;
   if(G4 > 0) G4 = 1;

   if((G1+G2+G3+G4) < 3)
     IsValid = false;

  //check for username or other words,  could also check for previous
  //passwords or other words by looping through a string list.
  // just check user name - be sure to match the case so force lower or upper
  // for both the password and the username
   if(sPassword.LowerCase().Pos(<username>) != 0)
     IsValid = false;

   return IsValid;
 }

Worth noting that people can still do some pretty bad passwords even within this framework.  For example 'Hello1' or 'Hello!' would still pass as it has 3 of the 4 groups.  This could be caught with a word list check like the user name.  Something like 'He!!o.' is somewhat harder to catch though.
0
 
LVL 18

Expert Comment

by:JoseParrot
ID: 20364886
Hi,

As per kode99's effective comment, the rules for passwords are:
- Character must be in one of the 4 given sets
- Password must contain characters from at least 3 of such sets
- Password lenght must be at least 6 characters long
- optionally, already used passwords are refused
- optionally, passwords equal to a word in a given list are refused

Additionally, more rules can be applied also, like:
- No repeating characters allowed
      len = password lenght  
      for i=1, len-1
         for j=i+1, len
            if password[i] == password[j]
               then refuse password
- Requirement for a minimum or given number of characters of one or more sets.
  Example: must have at least two uppercase characters.
  In this case, as per kode99's code:
  in place of
      if(G1 > 0) G1 = 1;
  substitute by
      if(G1 <2) IsValid=false;    // refuse password
      else G1=1;

A simple tutorial is also available at
http://www.microsoft.com/protect/yourself/password/create.mspx

Those rules are a practical simplification of a REAL complex password.
For example, the simple string
    inhocsignovinces
will be refused, because it is only lowercase, but is a password very difficult to crack. But for sure requires a very complex code too!

Jose
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494389
Use a regex

* at least 8 characters
* at least one one lower case letter, one upper case letter, one digit and one special character
* characters -   @#$%^&+=


    ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494457
I keep forgetting that BCB doesnt include regex engine.
There's a ton out there, for instance: http://www.uptime.it/delphi/old/delregex.zip
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will learn how to synchronize PHP projects with a remote server in NetBeans IDE 8.0 for Windows.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question