Checking password strength with CrackLib

Monday, July 26th, 2010|Beginner tips, Version 3|by Romans

Password complexity is a fine balance between memorable passwords and crack-able passwords. But how you measure that? For instance “john192″ is much easier to crack than “9john2″. However password strength tests approach both with the same algorithm. Even company policies are being made up requiring passwords to cary certain amount of digits or symbols.

A fine line is drawn by a CrackLib – a library coming a long way from Unix and designed for a single purposes of assessing password strength. This article is about how to integrate CrackLib into password verification field.

You can see demo: http://agiletech.ie/pwcheck/

Preparing the back-end

Probably all Linux-es come with cracklib. Look for a /usr/sbin/cracklib-check, you will need it to perform a check. This executable takes passwords on the stdin and output either OK or error message on the stdout. We are going to use System/ProcessIO class from ATK to interact with it:

[php]
$cl=$this->add(‘System_ProcessIO’)
->exec(‘/usr/sbin/cracklib-check’)
->write_all($pas)
;
[/php]

Next, we will need to create a form with a password field:

[php]
$f=$this->add(‘Form’,null,’Form’);
$f->js(true)->_load(‘ui.atk4.form’)->atk4_form();
$p=$f->addField(‘password’,'password’,'Password’)
->setProperty(‘size’,60)
->setProperty(‘autocomplete’,'off’);
[/php]

Now, the easiest would be is if we submitted a form every time user types something, however you can also use “ajaxec”. (If you want me to explain how to use that – please let me know in the comments section)

[php]
$p->js(true)->univ()->autoChange(100);
$p->js(‘change’,$f->js()->submit());
$p->template->set(‘after_field’,'<br/><span id="’.$p->name.’_strength">&nbsp;<span>’);
$p->js(true)->focus()</pre>
[/php]

This will make field submit the form every-time you type something. AutoChange will call onchange handler 0.1 second after user stops typing. Then you need a place where to output and we’re using “after_field” tag in field’s template to insert a placeholder. Finally when your form is being submitted, you execute that code above along with javascript action:

[php]
if($f->isSubmitted()){
$pas=$f->get(‘password’);

$cl=$this->add(‘System_ProcessIO’)
->exec(‘/usr/sbin/cracklib-check’)
->write_all($pas)
;
$out=trim($cl->read_all());
$out=str_replace($pas,”,$out);
$out=preg_replace(‘/^:\s*/’,”,$out);
$p->js()->_selector(‘#’.$p->name.’_strength’)->text($out)->css(array(‘color’=>$out=="OK"?’black’:'red’))->execute();
}
[/php]

We even take care of the message color. Probably my designer would be happier if i change the class here, he would be able to prepend message with an image. There you have it. I also changed the template of the page to contain light-weight CMS before and after the form. http://www.agiletech.ie/pwcheck/

4 Comments

Jancha
Posted July 26, 201012:34 pm

More general comment. I believe we should make form creation simpler. Integration of jq and ajax should be more seamless. It is all fine with addField and setProperty. But when it gets to js part, it should be made more obvious and less complicated.

romaninsh
Posted July 26, 20101:55 pm

The current JS implementation is very consistent and universal. It can be applied to a form, field or anything else. Jancha, do you have any syntax in mind? Please suggest something.

I think it’s up to enhanced Form controller and it’s collaboration with models to auto-add all those JS things for password. For instance you would do something like
[php]
$m=$model
->addField(‘password_new’,'password’)
->addField(‘password_confirm’);
$m->import($m);
[/php]

and it automatically creates password-metter.

Also – I thought about wrapping up all of the above into view called “PasswordStrength”, and developers would be able to do:
[php]
$form->addField(‘password’)->add(‘PasswordStrength’);
[/php]

but I wanted to show how to make something using existing codebase first and, perhaps, get more feedback.

Svetlozar Kondakov
Posted July 26, 20104:35 pm

Indeed I also think the JS enabling stuff is complicated… maybe we can have a method
[php]
$f->enableJS()
[/php]
to load the needed widgets.

About the assword strength field, I like how it works and like the idea of addiing a PasswordStrength to a password field!

romaninsh
Posted July 26, 201010:06 pm

Svetlozar, I do not see where enableJS would fit in. There are bunch of JS widgets managing forms, if you are pointing at:
[php]
$f->js(true)->_load(‘ui.atk4.form’)->atk4_form();
[/php]
then our common practice is to create a per-project class such as AWForm, which automatically includes this code inside init(), then re-use it.

It also helps us to develop components which work without javascript support. For example – open http://agiletech.ie/ with JS disabled and everything works anyway. Perhaps no animation, but fully functional. Team selector, project slides and forms work.

So by default JS is turned off in our new projects and we turn it on later.