Solved

Validate new password against old password

Posted on 2010-08-17
20
303 Views
Last Modified: 2012-05-10
Hi,

I'm looking for some function that would check if a newly entered password mathes to old password in some ways.

Some ideas:
- whenever a string of three position of the new password can be found in the old password
- whenever 50% of all characters of the old password are reused in the new password
maybe you can think of some to
0
Comment
Question by:Delphiwizard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
  • +1
20 Comments
 
LVL 13

Expert Comment

by:rfwoolf
ID: 33453006
I just want to say that I hate all websites that make me do that.
I know this isn't an answer, but it REALLY REALLY pisses me off.
On one site I ran out of passwords to use, I had to come up with some new ones and now I really can't keep track of my passwords.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33453200
look for password policy

where do you plan to use this ?
In delphi ?

Then you would need a centralised location to store the used passwords
And a gui for a admin to reset the password, delete users, delete the history etc

Looks like you need a password database.
For instance in oracle you can set a profile on a user
With all the restrictions you want :
http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_6010.htm#i2084338

There is a whole list of options of what you can do with the oracle database here
http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm

Maybe you can extract some ideas from that

0
 

Author Comment

by:Delphiwizard
ID: 33453527
Basically I just want to verify that the new password isn't almost the same as the previous one.
I have no intention to store all passwords that were used (ever). For that I fully agree with rfwoolf.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:markusventer
ID: 33453654
Sum the ordinal values of the entered text and decide on your own window of acceptability.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33453683
where will you store the current password ?
in the cookie ?
0
 

Author Comment

by:Delphiwizard
ID: 33456902
Geert Gruwez:
The password will be encrypted and stored in a database.
markusventer:
Sounds good. How would that look like?
0
 
LVL 2

Accepted Solution

by:
markusventer earned 500 total points
ID: 33461128
In it's simplest form:

var
  i : word;
  SumOrd : integer;
begin
  SumOrd := 0;
  for i := 1 to length(edit1.Text) do
    SumOrd :=SumOrd + ord(edit1.text[i]);

  showmessage(inttostr(SumOrd));
end;

Looking at the ordinal values you can create your own window of acceptability, i.e. a difference of 300 or greater is acceptable.

With this you can create your own algorithm to create your base number and alll you do is compare numbers.
0
 

Author Closing Comment

by:Delphiwizard
ID: 33461204
I believe this is perfect for my requiredments.
Thank you all for you info.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33461847
stored in a database ?
then the database will encrypt it for you ... so you don't need to do this yourself

well, this is valid with the accepted answer :

old password: ABCDEFGHIJ
new pass: abcdefghij
next new pass: AbCdEfGhIj

looks like a very shallow constraint

you could just as well use soundexint

If Abs(SoundExInt(OldPassword, 10) - SoundExInt(NewPassword, 10)) > 2 then
  ... password accepted
 
0
 
LVL 2

Expert Comment

by:markusventer
ID: 33463994
Not Entirely Geert, there is a big difference in the ordinal values of upper and lowercase letters.

Your statement is based on the ordinal value  of upper and lowercase letters being the same.

Apply a clever algorithm and this approach is quite easy and failsafe.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33464494
this would be a discussion about reinventing the wheel ... password policies
0
 

Author Comment

by:Delphiwizard
ID: 33464629
You might want to check the ORD-values of:
Stef1234 and Karel5678
Although completely different the ORD-values of these two strings are very close to each other. So I have to agree with Geert, the approach is a bit simple.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33464642
ugh ... cough ... cough
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33464692
DelphiWizard ... i don't want to say i told you so ... but i did tell you so ... :)

Ok, enough,
it looks like you want some very simple means of password policy enforcement without too much jibberish

1: would you be satisfied if the password is stored (slightly encrypted) in the registry
2: a check to see if the new password is different (you gave some arguments in your initial Q header)

0
 
LVL 13

Expert Comment

by:rfwoolf
ID: 33464773
Geert>
I'm not sure you understand the OP 100%... for example why on earth would you be storing the password in the registry? From what I understand this is a database application, and for whatever reason, the application sometimes needs you to 'reset' your password (this is very common on the web for example) but they don't want you to make your password similar to the existing one - because that's what lazy users do.
All the OP seems to need is a function like this:
function IsPasswordSimilar(CurrentPassword, NewPassword) : boolean;

within the function you do a check like :
'are there 3 of the same consecutive characters in the new and old password, for example:
Mercedes123 and Hammer456 [mer = mer]
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33464984
here is a class which you can use for password policies

you'll need to read around TForm1 code ... :)
unit Unit3;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, ExtCtrls, StdCtrls, ComCtrls;

type
  TPasswordPolicy = class(TObject)
  public
    function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean; virtual;
  end;

  TPasswordPolicyType = class of TPasswordPolicy;

  TPasswordPolicies = class(TList)
  public
    constructor Create; virtual;
    procedure AddPolicy(Policy: TPasswordPolicyType);
    function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
  end;

  TPasswordPolicy3Letters = class(TPasswordPolicy)
  public
    function Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean; override;
  end;

  TForm1 = class(TForm)
    Edit1: TEdit;
    Edit2: TEdit;
    Button1: TButton;
    procedure Button1Click(Sender: TObject);
  private
    fPasswordPolicy: TPasswordPolicies;
  public
    constructor Create(AOwner: TComponent); override;
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

{ TPasswordPolicy }

function TPasswordPolicy.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
begin
  ErrorMsg := '';
  Result := not SameText(OldPassword, NewPassword);
  if not Result then
    ErrorMsg := 'New password should not be the same.  Password is not case sensitive.';
end;

{ TPasswordPolicies }

constructor TPasswordPolicies.Create;
begin
  inherited Create;
  // Add default policy
  AddPolicy(TPasswordPolicy);
end;

procedure TPasswordPolicies.AddPolicy(Policy: TPasswordPolicyType);
var PolicyItem: TPasswordPolicy;
begin
  PolicyItem := Policy.Create;
  inherited Add(PolicyItem);
end;

function TPasswordPolicies.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var I: integer;
begin
  ErrorMsg := '';
  Result := True;
  for I := 0 to Count - 1 do
    if not TPasswordPolicy(Items[I]).Check(OldPassword, NewPassword, ErrorMsg) then
    begin
      Result := False;
      Break;
    end;
end;

{ TPasswordPolicy3Letters }

function TPasswordPolicy3Letters.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var I: integer;
  Temp: string;
begin
  Result := True;
  for I := 1 to Length(OldPassword) - 3 do
    if Pos(Copy(OldPassword, I, 3), NewPassword) > 0 then
    begin
      Result := False;
      ErrorMsg := '3 letters are the same and in the same order as in the old password.';
    end;
end;

constructor TForm1.Create(AOwner: TComponent);
begin
  inherited Create(AOwner);
  fPasswordPolicy := TPasswordPolicies.Create;
  fPasswordPolicy.AddPolicy(TPasswordPolicy3Letters);
end;

procedure TForm1.Button1Click(Sender: TObject);
var Emsg: string;
begin
  EMsg := '';
  if not fPasswordPolicy.Check(Edit1.Text, Edit2.Text, Emsg) then
    ShowMessage(EMsg);
end;


end.

Open in new window

0
 

Author Comment

by:Delphiwizard
ID: 33465010
Have a look at the folling. Build this after my discovery of the ORD-simplicity :-)
function PasswordsDifferEnough(Const OldPassword, NewPassword : String) : Boolean;
var i, NumberOfSameChar : Integer;
begin
  Result := True;
  NumberOfSameChar := 0;
  // Check 3 positions are the same
  for i := 1 to Length(NewPassword) -3 do
  begin
    if (AnsiPos(Copy(NewPassword, i, 3), OldPassword) > 0) then
    begin
      Result := False;
      Exit;
    end;
  end;
  // Check number of same characters.
  for i := 1 to Length(NewPassword) -3 do
  begin
    if (AnsiPos(Copy(NewPassword, i, 1), OldPassword) > 0) then
      NumberOfSameChar := NumberOfSameChar + 1;
    if (NumberOfSameChar > (Length(NewPassword) div 3)) then
    begin
      Result := False;
      Exit;
    end;
  end;
end;

Open in new window

0
 

Author Comment

by:Delphiwizard
ID: 33465036
Yes Geert, we are on the same track...
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33465256
you could add the 50Prcnt class too :


{ TPasswordPolicy50Prcnt }

function TPasswordPolicy50Prcnt.Check(OldPassword, NewPassword: string; var ErrorMsg: string): boolean;
var
  I, n: integer;
begin
  Result := True;
  ErrorMsg := '';
  n := 0;
  for I := 1 to length(NewPassword) do
    if Pos(Uppercase(Copy(NewPassword, I, 1)), UpperCase(OldPassword)) > 0 then
      Inc(n);
  if n >= (length(NewPassword) div 2) then
  begin
    Result := False;
    ErrorMsg := '50% of the characters were resused in the new password';
  end;
end;


constructor TForm1.Create(AOwner: TComponent);
begin
  inherited Create(AOwner);
  fPasswordPolicy := TPasswordPolicies.Create;
  fPasswordPolicy.AddPolicy(TPasswordPolicy3Letters);
  fPasswordPolicy.AddPolicy(TPasswordPolicy50Prcnt);
end;

Open in new window

0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 33465306
ah, i see you have found all you need
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses
Course of the Month5 days, 13 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question