Stef Merlijn
asked on
Validate new password against old password
Hi,
I'm looking for some function that would check if a newly entered password mathes to old password in some ways.
Some ideas:
- whenever a string of three position of the new password can be found in the old password
- whenever 50% of all characters of the old password are reused in the new password
maybe you can think of some to
I'm looking for some function that would check if a newly entered password mathes to old password in some ways.
Some ideas:
- whenever a string of three position of the new password can be found in the old password
- whenever 50% of all characters of the old password are reused in the new password
maybe you can think of some to
look for password policy
where do you plan to use this ?
In delphi ?
Then you would need a centralised location to store the used passwords
And a gui for a admin to reset the password, delete users, delete the history etc
Looks like you need a password database.
For instance in oracle you can set a profile on a user
With all the restrictions you want :
http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_6010.htm#i2084338
There is a whole list of options of what you can do with the oracle database here
http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm
Maybe you can extract some ideas from that
where do you plan to use this ?
In delphi ?
Then you would need a centralised location to store the used passwords
And a gui for a admin to reset the password, delete users, delete the history etc
Looks like you need a password database.
For instance in oracle you can set a profile on a user
With all the restrictions you want :
http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_6010.htm#i2084338
There is a whole list of options of what you can do with the oracle database here
http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm
Maybe you can extract some ideas from that
ASKER
Basically I just want to verify that the new password isn't almost the same as the previous one.
I have no intention to store all passwords that were used (ever). For that I fully agree with rfwoolf.
I have no intention to store all passwords that were used (ever). For that I fully agree with rfwoolf.
Sum the ordinal values of the entered text and decide on your own window of acceptability.
where will you store the current password ?
in the cookie ?
in the cookie ?
ASKER
Geert Gruwez:
The password will be encrypted and stored in a database.
markusventer:
Sounds good. How would that look like?
The password will be encrypted and stored in a database.
markusventer:
Sounds good. How would that look like?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe this is perfect for my requiredments.
Thank you all for you info.
Thank you all for you info.
stored in a database ?
then the database will encrypt it for you ... so you don't need to do this yourself
well, this is valid with the accepted answer :
old password: ABCDEFGHIJ
new pass: abcdefghij
next new pass: AbCdEfGhIj
looks like a very shallow constraint
you could just as well use soundexint
If Abs(SoundExInt(OldPassword , 10) - SoundExInt(NewPassword, 10)) > 2 then
... password accepted
then the database will encrypt it for you ... so you don't need to do this yourself
well, this is valid with the accepted answer :
old password: ABCDEFGHIJ
new pass: abcdefghij
next new pass: AbCdEfGhIj
looks like a very shallow constraint
you could just as well use soundexint
If Abs(SoundExInt(OldPassword
... password accepted
Not Entirely Geert, there is a big difference in the ordinal values of upper and lowercase letters.
Your statement is based on the ordinal value of upper and lowercase letters being the same.
Apply a clever algorithm and this approach is quite easy and failsafe.
Your statement is based on the ordinal value of upper and lowercase letters being the same.
Apply a clever algorithm and this approach is quite easy and failsafe.
this would be a discussion about reinventing the wheel ... password policies
ASKER
You might want to check the ORD-values of:
Stef1234 and Karel5678
Although completely different the ORD-values of these two strings are very close to each other. So I have to agree with Geert, the approach is a bit simple.
Stef1234 and Karel5678
Although completely different the ORD-values of these two strings are very close to each other. So I have to agree with Geert, the approach is a bit simple.
ugh ... cough ... cough
DelphiWizard ... i don't want to say i told you so ... but i did tell you so ... :)
Ok, enough,
it looks like you want some very simple means of password policy enforcement without too much jibberish
1: would you be satisfied if the password is stored (slightly encrypted) in the registry
2: a check to see if the new password is different (you gave some arguments in your initial Q header)
Ok, enough,
it looks like you want some very simple means of password policy enforcement without too much jibberish
1: would you be satisfied if the password is stored (slightly encrypted) in the registry
2: a check to see if the new password is different (you gave some arguments in your initial Q header)
Geert>
I'm not sure you understand the OP 100%... for example why on earth would you be storing the password in the registry? From what I understand this is a database application, and for whatever reason, the application sometimes needs you to 'reset' your password (this is very common on the web for example) but they don't want you to make your password similar to the existing one - because that's what lazy users do.
All the OP seems to need is a function like this:
function IsPasswordSimilar(CurrentP assword, NewPassword) : boolean;
within the function you do a check like :
'are there 3 of the same consecutive characters in the new and old password, for example:
Mercedes123 and Hammer456 [mer = mer]
I'm not sure you understand the OP 100%... for example why on earth would you be storing the password in the registry? From what I understand this is a database application, and for whatever reason, the application sometimes needs you to 'reset' your password (this is very common on the web for example) but they don't want you to make your password similar to the existing one - because that's what lazy users do.
All the OP seems to need is a function like this:
function IsPasswordSimilar(CurrentP
within the function you do a check like :
'are there 3 of the same consecutive characters in the new and old password, for example:
Mercedes123 and Hammer456 [mer = mer]
here is a class which you can use for password policies
you'll need to read around TForm1 code ... :)
you'll need to read around TForm1 code ... :)
unit Unit3;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, ExtCtrls, StdCtrls, ComCtrls;
type
TPasswordPolicy = class(TObject)
public
function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean; virtual;
end;
TPasswordPolicyType = class of TPasswordPolicy;
TPasswordPolicies = class(TList)
public
constructor Create; virtual;
procedure AddPolicy(Policy: TPasswordPolicyType);
function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
end;
TPasswordPolicy3Letters = class(TPasswordPolicy)
public
function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean; override;
end;
TForm1 = class(TForm)
Edit1: TEdit;
Edit2: TEdit;
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
fPasswordPolicy: TPasswordPolicies;
public
constructor Create(AOwner: TComponent); override;
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
{ TPasswordPolicy }
function TPasswordPolicy.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
begin
ErrorMsg := '';
Result := not SameText(OldPassword, NewPassword);
if not Result then
ErrorMsg := 'New password should not be the same. Password is not case sensitive.';
end;
{ TPasswordPolicies }
constructor TPasswordPolicies.Create;
begin
inherited Create;
// Add default policy
AddPolicy(TPasswordPolicy);
end;
procedure TPasswordPolicies.AddPolicy(Policy: TPasswordPolicyType);
var PolicyItem: TPasswordPolicy;
begin
PolicyItem := Policy.Create;
inherited Add(PolicyItem);
end;
function TPasswordPolicies.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var I: integer;
begin
ErrorMsg := '';
Result := True;
for I := 0 to Count - 1 do
if not TPasswordPolicy(Items[I]).Check(OldPassword, NewPassword, ErrorMsg) then
begin
Result := False;
Break;
end;
end;
{ TPasswordPolicy3Letters }
function TPasswordPolicy3Letters.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var I: integer;
Temp: string;
begin
Result := True;
for I := 1 to Length(OldPassword) - 3 do
if Pos(Copy(OldPassword, I, 3), NewPassword) > 0 then
begin
Result := False;
ErrorMsg := '3 letters are the same and in the same order as in the old password.';
end;
end;
constructor TForm1.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
fPasswordPolicy := TPasswordPolicies.Create;
fPasswordPolicy.AddPolicy(TPasswordPolicy3Letters);
end;
procedure TForm1.Button1Click(Sender: TObject);
var Emsg: string;
begin
EMsg := '';
if not fPasswordPolicy.Check(Edit1.Text, Edit2.Text, Emsg) then
ShowMessage(EMsg);
end;
end.
ASKER
Have a look at the folling. Build this after my discovery of the ORD-simplicity :-)
function PasswordsDifferEnough(Const OldPassword, NewPassword : String) : Boolean;
var i, NumberOfSameChar : Integer;
begin
Result := True;
NumberOfSameChar := 0;
// Check 3 positions are the same
for i := 1 to Length(NewPassword) -3 do
begin
if (AnsiPos(Copy(NewPassword, i, 3), OldPassword) > 0) then
begin
Result := False;
Exit;
end;
end;
// Check number of same characters.
for i := 1 to Length(NewPassword) -3 do
begin
if (AnsiPos(Copy(NewPassword, i, 1), OldPassword) > 0) then
NumberOfSameChar := NumberOfSameChar + 1;
if (NumberOfSameChar > (Length(NewPassword) div 3)) then
begin
Result := False;
Exit;
end;
end;
end;
ASKER
Yes Geert, we are on the same track...
you could add the 50Prcnt class too :
{ TPasswordPolicy50Prcnt }
function TPasswordPolicy50Prcnt.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var
I, n: integer;
begin
Result := True;
ErrorMsg := '';
n := 0;
for I := 1 to length(NewPassword) do
if Pos(Uppercase(Copy(NewPassword, I, 1)), UpperCase(OldPassword)) > 0 then
Inc(n);
if n >= (length(NewPassword) div 2) then
begin
Result := False;
ErrorMsg := '50% of the characters were resused in the new password';
end;
end;
constructor TForm1.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
fPasswordPolicy := TPasswordPolicies.Create;
fPasswordPolicy.AddPolicy(TPasswordPolicy3Letters);
fPasswordPolicy.AddPolicy(TPasswordPolicy50Prcnt);
end;
ah, i see you have found all you need
I know this isn't an answer, but it REALLY REALLY pisses me off.
On one site I ran out of passwords to use, I had to come up with some new ones and now I really can't keep track of my passwords.