[freeside-commits] branch master updated. 2b2e19ae4838d1d788b244ceff85957c52b0655f

Jonathan Prykop jonathan at 420.am
Tue Apr 26 21:41:33 PDT 2016 

The branch, master has been updated
       via  2b2e19ae4838d1d788b244ceff85957c52b0655f (commit)
      from  7358c407cc5fd795e145d9fc0de1d784c1690e55 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2b2e19ae4838d1d788b244ceff85957c52b0655f
Author: Jonathan Prykop <jonathan at freeside.biz>
Date:   Tue Apr 26 23:38:49 2016 -0500

    RT#41641 Disable strict password requirements [loosen dictionary rule]

diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index 23e1887..3dd9ce4 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -45,7 +45,7 @@ sub is_password_allowed {
 
   # basic checks using Data::Password;
   # options for Data::Password
-  $DICTIONARY = 4;   # minimum length of disallowed words
+  $DICTIONARY = 0;   # minimum length of disallowed words, false value disables dictionary checking
   $MINLEN = $conf->config('passwordmin') || 6;
   $MAXLEN = $conf->config('passwordmax') || 12;
   $GROUPS = 4;       # must have all 4 'character groups': numbers, symbols, uppercase, lowercase
@@ -55,9 +55,23 @@ sub is_password_allowed {
   # # lists of disallowed words
   # @DICTIONARIES = qw( /usr/share/dict/web2 /usr/share/dict/words /usr/share/dict/linux.words );
 
+  # first, no dictionary checking but require 4 char groups
   my $error = IsBadPassword($password);
-  $error = 'must contain at least one each of numbers, symbols, and lowercase and uppercase letters'
-    if $error eq 'contains less than 4 character groups'; # avoid confusion
+
+  # but they can get away with 3 char groups, so long as they're not using a word
+  if ($error eq 'contains less than 4 character groups') {
+    $DICTIONARY = 4; # default from Data::Password is 5
+    $GROUPS = 3;
+    $error = IsBadPassword($password);
+    # take note--we never actually report dictionary word errors;
+    # 4 char groups is the rule, 3 char groups and no dictionary words is an acceptable exception
+    $error = 'should contain at least one each of numbers, symbols, lowercase and uppercase letters'
+      if $error;
+  }
+
+  # maybe also at some point add an exception for any passwords of sufficient length,
+  # see https://xkcd.com/936/
+
   $error = 'Invalid password - ' . $error if $error;
   return $error if $error;
 

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/Password_Mixin.pm |   20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

More information about the freeside-commits mailing list