Checking password strength with CrackLib

Password complexity is a fine balance between memorable passwords and crack-able passwords. But how you measure that? For instance “john192″ is much easier to crack than “9john2″. However password strength tests approach both with the same algorithm. Even company policies are being made up requiring passwords to cary certain amount of digits or symbols.

A fine line is drawn by a CrackLib – a library coming a long way from Unix and designed for a single purposes of assessing password strength. This article is about how to integrate CrackLib into password verification field.

You can see demo: http://agiletech.ie/pwcheck/

Preparing the back-end

Probably all Linux-es come with cracklib. Look for a /usr/sbin/cracklib-check, you will need it to perform a check. This executable takes passwords on the stdin and output either OK or error message on the stdout. We are going to use System/ProcessIO class from ATK to interact with it:

 $cl=$this->add('System_ProcessIO')
                ->exec('/usr/sbin/cracklib-check')
                ->write_all($pas)
                ;
            $out=trim($cl->read_all());

Next, we will need to create a form with a password field:

        $f=$this->add('Form',null,'Form');
        $f->js(true)->_load('ui.atk4.form')->atk4_form();
        $p=$f->addField('password','password','Password')
            ->setProperty('size',60)
            ->setProperty('autocomplete','off');

Now, the easiest would be is if we submitted a form every time user types something, however you can also use “ajaxec”. (If you want me to explain how to use that – please let me know in the comments section)

        $p->js(true)->univ()->autoChange(100);
        $p->js('change',$f->js()->submit());
        $p->template->set('after_field','<br/><span id="'.$p->name.'_strength">&nbsp;<span>');
        $p->js(true)->focus()

This will make field submit the form every-time you type something. AutoChange will call onchange handler 0.1 second after user stops typing. Then you need a place where to output and we’re using “after_field” tag in field’s template to insert a placeholder. Finally when your form is being submitted, you execute that code above along with javascript action:

        if($f->isSubmitted()){
            $pas=$f->get('password');

            $cl=$this->add('System_ProcessIO')
                ->exec('/usr/sbin/cracklib-check')
                ->write_all($pas)
                ;
            $out=trim($cl->read_all());
            $out=str_replace($pas,'',$out);
            $out=preg_replace('/^:\s*/','',$out);
            $p->js()->_selector('#'.$p->name.'_strength')->text($out)->css(array('color'=>$out=="OK"?'black':'red'))->execute();
        }

We even take care of the message color. Probably my designer would be happier if i change the class here, he would be able to prepend message with an image.

There you have it. I also changed the template of the page to contain light-weight CMS before and after the form.

http://www.agiletech.ie/pwcheck/

About these ads

July 26, 2010 - Posted by romaninsh | Beginner tips, Version 3

7 Comments »

More general comment. I believe we should make form creation simpler. Integration of jq and ajax should be more seamless. It is all fine with addField and setProperty. But when it gets to js part, it should be made more obvious and less complicated.

Comment by Jancha | July 26, 2010 | Reply
The current JS implementation is very consistent and universal. It can be applied to a form, field or anything else. Jancha, do you have any syntax in mind? Please suggest something.

I think it’s up to enhanced Form controller and it’s collaboration with models to auto-add all those JS things for password. For instance you would do something like

$m=$model
->addField(‘password_new’,'password’)
->addField(‘password_confirm’);

$m->import($m);

and it automatically creates password-metter.

Also – I thought about wrapping up all of the above into view called “PasswordStrength”, and developers would be able to do:
$form->addField(‘password’)->add(‘PasswordStrength’);

but I wanted to show how to make something using existing codebase first and, perhaps, get more feedback.

Comment by romaninsh | July 26, 2010 | Reply
Indeed I also think the JS enabling stuff is complicated… maybe we can have a method $f->enableJS() to load the needed widgets.

About the assword strength field, I like how it works and like the idea of addiing a PasswordStrength to a password field!

Comment by Svetlozar Kondakov | July 26, 2010 | Reply
Svetlozar, I do not see where enableJS would fit in. There are bunch of JS widgets managing forms, if you are pointing at:
$f->js(true)->_load(‘ui.atk4.form’)->atk4_form();

then our common practice is to create a per-project class such as AWForm, which automatically includes this code inside init(), then re-use it.

It also helps us to develop components which work without javascript support. For example – open http://agiletech.ie/ with JS disabled and everything works anyway. Perhaps no animation, but fully functional. Team selector, project slides and forms work.

So by default JS is turned off in our new projects and we turn it on later.

Comment by romaninsh | July 26, 2010 | Reply
All round amazing blog

Comment by men streetwear | October 15, 2011 | Reply
You’re quite right with this one…

Comment by Business Directory | November 21, 2011 | Reply
Thank goodness some bloggers can still write. My thanks for this writing!!

Comment by картинки для форумов | December 4, 2011 | Reply

About

Agile Toolkit is a PHP5 toolkit developed by Agile Technologies. Toolkit includes a solid MVC framework, large number of ready-to-use widgets and controllers and is specifically designed to Web Software development in a rapid and agile way. It is also called AModules3 and is influenced by MI2. Official homepage: http://www.agiletech.ie/work/agile_toolkit/

Another framework?

ATK4 is not exactly framework. Framework is a bare-bones flexible implementation which is to direct developer and help maintaining a single pattern throughout the code. ATK4 is that but it is also a set of ready-to-use solutions for common web applications and software as a service projects.

While you might find Zend and Ruby similar to Java and ExtJS, ATK4 concept is very similar to jQuery. The motto “Write Less, Do More” perfectly applies to ATK4.

ATK4 pursues a difficult target – to be efficient in a short-term web software projects, where low cost and high speed is very important. At the same time, it provides ability to scale up software development. It also helps to tackle problems other frameworks choose to ignore such as:

Intellectual property versus shared code.
Resolve conflicts between multiple developers on a project – roles: business code developer, ui element developer, masher, designer.
Enforces secure-by-default approach.
Employee training routines are designed to boost efficiency of new developers while still producing consistent code.
Deep integration with JS, while at the same time – JS is optional.
A very simple but very robust AJAX approach

Another very significant difference – Since first design of ATK3 (AModules3) it relied on features of PHP5. It’s not backward compatible. ATK4 is going to be PHP 5.3+.

The ideology of a toolkit

All the components to be usable out-of-the-box. Take default form, default API and mash them.
Components are written in a simple way. They also use several levels of inheritance. You should also have sufficient OOP skills to develop efficiently.
We avoid some features of PHP5 (static, namespaces, pear) and we focus to be very lightweight.
We value results. Often we need to tick the checkboxes in project system requirements, and add enhancements after. Minimum refactoring.
Centered development while still on an open-source license.
Based on the successes and failures of amodules-1 and amodules2.
And most importantly – designed to be used with Agile Development Methodology: start small, release often.

Can I start using toolkit?

Agile Toolkit is used by a few web development companies and some freelancers. Learning framework efficiently requires some serious effort but allows to achieve great results. There have been few 3rd party projects running in the wild.

If you are considering trying the framework, you should have a good experience in PHP and good experience with OOP. And I really mean a textbook and practical knowledge of development paradigms. ATK4 does not attempt to create sterile and foul-proof environment – you will have to understand it over time.

Development of versions 2 and 3 were sponsored by Agile Technologies (formerly ADevel.com).

History

AModules1 was a private code without licensing since 1999. AModules2 was started in 2002 and was used in many projects until PHP5 was released. AModules3 started it’s life right after announcement of Zend2 engine. It’s being developed rapidly until today. ATK4 is in a collaborative assembly step. Many of the ideas and modules for ATK4 are being incubated on a current version. We are not going to release a theoretical framework. This is stuff which works and it have been tested by hundreds and hundreds of commercial web apps throughout last 10 years.

ATK4 plans and concepts are sketched on atk4.pbworks.com. Currently it’s undecided whether it will be released under open-source license.

Agile Toolkit in Action

See this page

Archives
- August 2010 (1)
- July 2010 (3)
- June 2010 (4)
- May 2010 (9)
- April 2010 (12)
Categories
RSS
Entries RSS
Comments RSS

Agile Toolkit news

library updates, tips, information and more