Password: add Zxcvbn strength driver

6 years ago · 1bf6dc3de8
parent 00946f1f57
commit 1bf6dc3de8
5 changed files with 77 additions and 1 deletions
--- a/composer.json-dist
+++ b/composer.json-dist
@ -26,6 +26,7 @@
    },
    "suggest": {
        "pear/net_ldap2": "~2.2.0 required for connecting to LDAP",
-        "kolab/net_ldap3": "~1.0.6 required for connecting to LDAP"
+        "kolab/net_ldap3": "~1.0.6 required for connecting to LDAP",
+        "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
    }
 }
--- a/plugins/password/README
+++ b/plugins/password/README
@ -380,6 +380,14 @@
 handled by included drivers. Just pass driver name in 'password_strength_driver' option.


+ 2.2.1. Zxcvbn
+ -------------
+
+ Driver to use the Zxcvbn library to check password strength. Requires zxcvbn-php library.
+
+ Set $config['password_zxcvbn_min_score'] to define minimum acceptable password strength score.
+
+
 3. Driver API
 -------------

--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@ -488,7 +488,14 @@ $config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';
 // Command to use
 $config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';

+
 // Modoboa Driver options
 // ---------------------
 // put token number from Modoboa server
 $config['password_modoboa_api_token'] = '';
+
+
+// Zxcvbn Strength Driver options
+// ------------------------------
+// minimum Zxcvbn score required for new passwords (0 = weak, 4 = very strong, 3 = default)
+$config['password_zxcvbn_min_score'] = 3;
--- a/plugins/password/drivers/zxcvbn.php
+++ b/plugins/password/drivers/zxcvbn.php
@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Zxcvb Password Strength Driver
+ *
+ * Driver to check password strength using Zxcvbn-PHP
+ *
+ * @version 0.1
+ * @author Philip Weir
+ *
+ * Copyright (C) 2018 Philip Weir
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+use ZxcvbnPhp\Zxcvbn;
+
+class rcube_zxcvbn_password
+{
+    function strength_rules()
+    {
+        $rcmail  = rcmail::get_instance();
+
+        $rules   = array();
+        $rules[] = $rcmail->gettext('password.passwordweak');
+        $rules[] = $rcmail->gettext('password.passwordnoseq');
+        $rules[] = $rcmail->gettext('password.passwordnocommon');
+
+        return $rules;
+    }
+
+    function check_strength($passwd)
+    {
+        $rcmail   = rcmail::get_instance();
+        $zxcvbn   = new Zxcvbn();
+        $strength = $zxcvbn->passwordStrength($passwd);
+        $result   = null;
+
+        if ($strength['score'] < $rcmail->config->get('password_zxcvbn_min_score', 3)) {
+            $reason = $strength['feedback']['warning'];
+            $result = $rcmail->gettext(array('name' => 'password.passwordweakreason', 'vars' => array('reason' => $reason)));
+        }
+
+        return $result;
+    }
+}
--- a/plugins/password/localization/en_US.inc
+++ b/plugins/password/localization/en_US.inc
@ -32,6 +32,9 @@ $messages['connecterror'] = 'Could not save new password. Connection error.';
 $messages['internalerror'] = 'Could not save new password.';
 $messages['passwordshort'] = 'Password must be at least $length characters long.';
 $messages['passwordweak'] = 'Password must include at least one number and one punctuation character.';
+$messages['passwordweakreason'] = 'Password too weak. $reason';
+$messages['passwordnoseq'] = 'Password should not be a sequence like 123456 or QWERTY.';
+$messages['passwordnocommon'] = 'Password should not be a common word or name.';
 $messages['passwordforbidden'] = 'Password contains forbidden characters.';
 $messages['firstloginchange'] = 'This is your first login. Please change your password.';
 $messages['disablednotice'] = 'The system is currently under maintenance and password change is not possible at the moment. Everything should be back to normal soon. We apologize for any inconvenience.';