?
Solved

Force User to enter Complex password

Posted on 2007-11-21
7
Medium Priority
?
1,072 Views
Last Modified: 2013-11-17
I am using Boralnd Builder 6 to make an application that requires a user login. Currently I am forcing the user to enter a password longer than 5 characters. But I would like to enfore a complex password to be entered is there any easy ways of checking this
0
Comment
Question by:enSynergy
7 Comments
 
LVL 25

Expert Comment

by:imitchie
ID: 20326947
use Local Security Policy in Administrative Tools
0
 
LVL 25

Expert Comment

by:imitchie
ID: 20326951
wrong post. pls ignore
0
 
LVL 16

Accepted Solution

by:
George Tokas earned 1500 total points
ID: 20327512
First of all you have access to the password itself using: AnsiString S = EditBox->Text;
So you have the password to an AnsiString....
You can check the pressence of any special character using AnsiPos(substring,source)
The special characters you want to enforce using are in sertain increment positions of the ascii table...
So with a few loops you can check out if the rules you want to enforce applies...

George Tokas.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 25

Expert Comment

by:kode99
ID: 20354173
Out of interest here's what MS considers 'strong passwords',

http://support.microsoft.com/kb/161990/EN-US/

To implement this is fairly easy by creating a set of strings matching the groups of characters and then checking these groups agains each letter of the password.  Not a whole lot of looping to do.

Anyway heres a rough example to match the MS requirement,

 bool TForm1::PasswordCheck(AnsiString sPassword)
 {
  // so make your gouprings
   AnsiString Group1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   AnsiString Group2 = "abcdefghijklmnopqrstuvwxyz";
   AnsiString Group3 = "0123456789";
   AnsiString Group4 = "`~!@#$%^&*()_-+=|<>,.?";

   bool IsValid = true;
   int i = 1;
   int G1 = 0, G2 = 0, G3 = 0, G4 = 0;

  // scan password character contents and count valid characters
   while((i < (sPassword.Length()+1))&&(IsValid == true))
   {
     if(Group1.Pos(sPassword.SubString(i,1)) != 0)  G1++;
     if(Group2.Pos(sPassword.SubString(i,1)) != 0)  G2++;
     if(Group3.Pos(sPassword.SubString(i,1)) != 0)  G3++;
     if(Group4.Pos(sPassword.SubString(i,1)) != 0)  G4++;
     i++;
   }

  // Check for disqualification for length of 6 characters
  // or using invalid characters that are not in our groups
   if(((G1+G2+G3+G4) != sPassword.Length())
      ||(sPassword.Length() < 6))
    IsValid = false;

  // check for 3 out of the 4 groups being used as MS does
   if(G1 > 0) G1 = 1;
   if(G2 > 0) G2 = 1;
   if(G3 > 0) G3 = 1;
   if(G4 > 0) G4 = 1;

   if((G1+G2+G3+G4) < 3)
     IsValid = false;

  //check for username or other words,  could also check for previous
  //passwords or other words by looping through a string list.
  // just check user name - be sure to match the case so force lower or upper
  // for both the password and the username
   if(sPassword.LowerCase().Pos(<username>) != 0)
     IsValid = false;

   return IsValid;
 }

Worth noting that people can still do some pretty bad passwords even within this framework.  For example 'Hello1' or 'Hello!' would still pass as it has 3 of the 4 groups.  This could be caught with a word list check like the user name.  Something like 'He!!o.' is somewhat harder to catch though.
0
 
LVL 18

Expert Comment

by:Jose Parrot
ID: 20364886
Hi,

As per kode99's effective comment, the rules for passwords are:
- Character must be in one of the 4 given sets
- Password must contain characters from at least 3 of such sets
- Password lenght must be at least 6 characters long
- optionally, already used passwords are refused
- optionally, passwords equal to a word in a given list are refused

Additionally, more rules can be applied also, like:
- No repeating characters allowed
      len = password lenght  
      for i=1, len-1
         for j=i+1, len
            if password[i] == password[j]
               then refuse password
- Requirement for a minimum or given number of characters of one or more sets.
  Example: must have at least two uppercase characters.
  In this case, as per kode99's code:
  in place of
      if(G1 > 0) G1 = 1;
  substitute by
      if(G1 <2) IsValid=false;    // refuse password
      else G1=1;

A simple tutorial is also available at
http://www.microsoft.com/protect/yourself/password/create.mspx

Those rules are a practical simplification of a REAL complex password.
For example, the simple string
    inhocsignovinces
will be refused, because it is only lowercase, but is a password very difficult to crack. But for sure requires a very complex code too!

Jose
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494389
Use a regex

* at least 8 characters
* at least one one lower case letter, one upper case letter, one digit and one special character
* characters -   @#$%^&+=


    ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
0
 
LVL 9

Expert Comment

by:Cayce
ID: 20494457
I keep forgetting that BCB doesnt include regex engine.
There's a ton out there, for instance: http://www.uptime.it/delphi/old/delregex.zip
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question