login passwords

[mrw02536]

Are there any restrictions or requirements on user passwords. For example, numbers, special characters, etc) or length?
I seem to have trouble using passwords like 'password2'.

[garvinhicking]

Hi!

If you are not using RVS Sitebuilder, then there are no password requirements specifically. Only when you first-time install s9y, you should try to not use special characters like german umlauts, because the database charsets during install might be different from the final ones.

Once s9y is up and running and you change passwords or create new ones, you can use any characters you like.

Regards,
Garvin

[mrw02536]

Garvin, I'm going through your code for integrating things into my website. Can you point me to the function used for changing passwords?
In searching for 'serendipity_db_query("UPDATE {$serendipity['dbPrefix']}authors' all I found was the function serendipity_authenticate_author which doesn't seem to be involved in changing passwords.
regards,
Rich

[garvinhicking]

Hi!

Sure, search for serendipity_hash( and serendipity_passwordhash( -- those are the relevant places!

serendipity_authenticate_author only reads the password, it doesn't write anything. But all places/files/functions that write the password use the two functions mentioned above. So you should find each place. Most important will be include/admin/personal.inc.php.

HTH,
Garvin

[mrw02536]

Garvin, I'm looking for the function that updates the database table with a changed password, it should look like:

'serendipity_db_query("UPDATE {$serendipity['dbPrefix']}authors'

This should be called when a user is logged in to his personal settings and sets a new password.

regards,

Rich

[garvinhicking]

Hi!

Sure, this is in include/admin/personal.inc.php, in lines

70 - 76:

Code: Select all

                if (serendipity_checkConfigItemFlags($item, 'local')) {
                    serendipity_set_user_var($item['var'], $_POST[$item['var']], $serendipity['authorid'], true);
                }

                if (serendipity_checkConfigItemFlags($item, 'configuration')) {
                    serendipity_set_config_var($item['var'], $_POST[$item['var']], $serendipity['authorid']);
                }

The password is simply an attribute and thos is done through serendipity_set_user_var().

HTH,
Garvin

[mrw02536]

Garvin, just what I was looking for, actually it led me to where the function is called which is what I needed: 'personal.inc.php'.

I've integrated Serendipity into my website so that the one login process gets the user loggedin to both mysite and Serendipity. To facilitate this, I've combined my 'user' database table with the 'serendipity_authors' table to share fields.

I wanted to be sure that 'strong' passwords were used so I've added some validation into the choice of passwords. This just takes two lines of code in the 'personal.inc.php' file for each validation condition (password minimum length, at least 1 number, etc).

I've done the same for adding new users in the file 'users.inc.php' where I also had to add some code to prevent the use of duplicate email addresses as well as some constraints on username.

I also noted in this file that deleting users did not remove the entry from the 'serendipity_authorgroups' table (perhaps a bug!) but that was easy to fix with a simple sql statement.

Slowly but surely I will get a smooth integration of Serendipity which I find to be an outstanding piece of work.


Thanks very much.

Rich

[mrw02536]

Garvin, to keep you up to date:
I've added some validation conditions when the user makes changes to his Personal Settings by adding code to the 'personal.inc.php' file preventing the user from choosing passwords less than 8 characters and usernames and emails that already exist.

I noticed, however, that the admin can also make changes to the users Personal Settings but from a different file. In this case without any restrictions (admin, for exampe, could define no password or duplicate email addresses). For this case I also added validation code to the 'users.inc.php' file to prevent this from happening.

In both cases, error messages are generated.

I suspect you know how to do this but if you're interested in my approach let me know.

Rich

[garvinhicking]

Hi!

I'm not completely sure yet if we want to enforce specific password rules by default in Serendipity; I know that several people use s9y for intranet blogs, where login security is unimportant and users have very simple passwords.

I do think though that we could either add an option to the configuration ("Enforce password security?"). So maybe if you'd like to share your code, we could incorporate your changes so that you don't need to patch s9y's core for your changes to be active. Could you prepare a "diff" for your patches, do you know how to do that? Ideally, against the serendipity 2.0 codebase since we wouldn't implement that into the 1.x codebase, and also it would be great if error messages etc. would be defined as constants inside the lang/serendipity_lang_en.inc.php file...

Best regards,
Garvin

[mrw02536]

Garvin, I'm not really up on diff files so I'll upload the altered 'users.inc.php' file.
There are actually three processes that are affected by password validation:
1) adding a new user,
2) admin editing an existing user, and
3) the user editing the personal settings.
For my application I've disabled case #3 in the group settings of Serendipity so it's not an issue for me.
The other two are both dealt with in the 'user.inc.php' file.
My approach is as follows (most of this is commented in the file I'm uploading):
Since there are multiple validation tests, rather than display them one at a time I've defined an error array 'serendipity_errors which is defined as the last statement in the serendipity_config.inc.php' file.
To display the error array after the tests I use implode in a function called display_output_errors().
There are other functions needed that are shown in the attachment and should be self explanatory.
The actual validation test I included in the attached file along with comments to explain them. Once you check it you'll see that it is easy to eliminate or add to the tests.
Since I've integrated Serendipity into my website there are some differences in my version of the changes but it's been tested and is working. If you integrate these changes and try to add a new user you should see what ever errors exist shown as a list.
Using this validation for the admin editing a user's personal settings does have some issues which I haven't addressed at this time. One, for example, is when the personal settings edit form comes up the 'your password' and 'Old password' fields are blank. If you try and submit any changes to the form while these a empty an error will occur. To fix this I will read a conditional (if) statement around the password validation tests to ignore them when the two fields are empty. This way you can change the username or email address while leaving those two fields blank. On the other hand if you enter changes to the password than those changes will be validated. This problem is not too important for me since I go about changing password and username differently from my website directly and don't need the Serendipity form.
I hope I haven't forgotten anything and this all comes over clear but if there are any comments or questions I'll try to address them.

BTW, in your code there are a number of validation checks and error messages on 'userlevel' and other which are printed out as they are encountered in the execution. It's very easy to change that and write the error messages to the serendipity_error file for printing out when all tests are completed.
Rich

[garvinhicking]

Hi!

I'll try to find time to adapt that to s9y 2.0 and more "generic" scenarios. Many thanks for sharing!

Regards,
Garvin

[onli]

Hi
Before we add a ruleset-based approach for this, please take a look at https://github.com/rchouinard/phpass (and the example at the bottom). Password-strength is not necessary easy, and to use a library for that seems like a good idea to me.

PS: Better alternative might be https://github.com/lowe/zxcvbn, being js-based (I guess it should be better JS directly to not have to manage Ajax for the display).