Jump to content

Password Security Logic


andrewgroup

Recommended Posts

could someone explain the requirements of passwords to meet the available options.

Maximum Security (example, at least ? characters, ? Special characters provide list) upper case etc....

Minimum Security

Allow All passwords

 

reviewed almost all DOCs in KIWI and SUPPORT and cannot find any reference on this?

 

This would be nice to know since you can import all accounts and being sure the passwords meet the requirements is crucial.

Link to comment
Share on other sites

could someone explain the requirements of passwords to meet the available options.

 

The logic is enforced on the web site with a javascript. We are talking about this code:

 

 

// Checks a string for a list of characters
function get_score(pw, check) {
var result = 0;
for (i = 0; i < pw.length; i++) {
	if (check.indexOf(pw.charAt(i)) >= 0) result += check.length;
}
return result;
}

function secure_password(pw) {
 var method = (filled in during loading);
 var score = 0;
 score += get_score(pw, "0123456789");
 score += get_score(pw, "ABCDEFGHIJKLMNOPQRSTUVWXYZ");
 score += get_score(pw, "abcdefghijklmnopqrstuvwxyz");
 score += get_score(pw, ";:-_=+\|//?^&!.@#*()%~<$>{}[]");

 if(method == "medium") {
if(score < 120) return false;
return true; 
 }

 if(method == "high") {
if(score < 200) return false;
return true; 
 }

 // If the method is unknown return true (no check)
 return true;
}

function secure_pin(pw) {
 var method = (filled in during loading);
 var score = 0;
 var l = parseInt(pw[0]);
 for (var i = 1; i < pw.length; i++) {
  var c = parseInt(pw[i]);
  var d = c - l;
  if (d > 1 || d < -1) score += 2;
  else if (d != 0) score += 1;
  l = c;
 }

 if (method == "medium") {
  if (pw.length < 4) return false;
  if (score < 4) return false;
  return true; 
 }

 if (method == "high") {
  if (pw.length < 6) return false;
  if (score < 6) return false;
  return true;
 }

 // If the method is unknown return true (no check)
 return true;
}

 

As you can see, the user input gets a score, and then depending on the password strength setting, it gets rejected or not.

 

If the user turns javascript off, the PBX will accept all passwords. So the goal is to pretect the user from himself.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...