Subscribe via rss
Discussions
Guest
or Ask a Question
Add a reply View Replies (3) →
Evina D
Evina D
Offline

Is There A Way To Implement A Strong Password Policy?

In Arastta cart is there a way to implement a strong customer/user password policy?

Like:

Passwords must be at least 10 characters in length.
Passwords should include at least two alphabetical characters.
Passwords should yse both lower-case and upper-case letters.
Passwords should have at least two special characters (such as & ^ % * $).


Thanks
In Security
Monday, January 22 2018, 05:20 AM
Share this post:
Responses (3)

  • Accepted Answer

    wamecyhap max
    wamecyhap max
    Offline
    Thursday, March 01 2018, 09:23 PM - #Permalink
    [Spam]
    The reply is currently minimized Show

  • Accepted Answer

    Lyla haseen
    Lyla haseen
    Offline
    Thursday, May 16 2019, 09:34 AM - #Permalink
    [Spam]
    The reply is currently minimized Show

  • Accepted Answer

    Hackasacka
    Hackasacka
    Offline
    Friday, May 17 2019, 11:39 PM - #Permalink
    Hi Evina,

    The Arastta "Registration" controller verifies the password strength as well as some of the other input fields such as "email" too.

    This is the checkout controller file containing the verification code used once you have an item in the cart and would like to register and purchase the product (there is another in the direct registration without the need to "checkout" and another in accounts when changing the password.

    /catalog/controller/checkout/register.php (line 163 - 202)

            if (!$json) {
    
            $this->load->model('account/customer');
    

    
            if ((utf8_strlen(trim($this->request->post['firstname'])) < 1) || (utf8_strlen(trim($this->request->post['firstname'])) > 32)) {
    
                $json['error']['firstname'] = $this->language->get('error_firstname');
    
            }
    

    
            if ((utf8_strlen(trim($this->request->post['lastname'])) < 1) || (utf8_strlen(trim($this->request->post['lastname'])) > 32)) {
    
                $json['error']['lastname'] = $this->language->get('error_lastname');
    
            }
    

    
            if ((utf8_strlen($this->request->post['email']) > 96) || !preg_match('/^[^\@]+@.*.[a-z]{2,15}$/i', $this->request->post['email'])) {
    
                $json['error']['email'] = $this->language->get('error_email');
    
            }
    

    
            if ($this->model_account_customer->getTotalCustomersByEmail($this->request->post['email'])) {
    
                $json['error']['warning'] = $this->language->get('error_exists');
    
            }
    

    
            if ((utf8_strlen($this->request->post['telephone']) < 3) || (utf8_strlen($this->request->post['telephone']) > 32)) {
    
                $json['error']['telephone'] = $this->language->get('error_telephone');
    
            }
    

    
            if ((utf8_strlen($this->request->post['password']) < 4) || (utf8_strlen($this->request->post['password']) > 20)) {
    
                $json['error']['password'] = $this->language->get('error_password');
    
            }
    

    
            if ($this->request->post['confirm'] != $this->request->post['password']) {
    
                $json['error']['confirm'] = $this->language->get('error_confirm');
    
            }
    

    
            if ($this->config->get('config_account_id')) {
    
                $this->load->model('catalog/information');
    

    
                $information_info = $this->model_catalog_information->getInformation($this->config->get('config_account_id'));
    

    
                if ($information_info && !isset($this->request->post['agree'])) {
    
                    $json['error']['warning'] = sprintf($this->language->get('error_agree'), $information_info['title']);
    
                }
    
            }


    If you add this bit of code for example after the original password check:-

                if ((utf8_strlen($this->request->post['password']) < 4) || (utf8_strlen($this->request->post['password']) > 20)) {
    
                $json['error']['password'] = $this->language->get('error_password');
    
            }
    
        if (!preg_match('/^[^\@]+@.*.[a-z]{2,15}$/i', $this->request->post['password'])) {
    
            $json['error']['password'] = 'Password must contain a number a letter and a special character !@#$%';
    
        }


    Between start -> ^
    And end -> $
    of the string there has to be at least one number -> (?=.*\d)
    and at least one letter -> (?=.*[A-Za-z])
    and there has to be a number, a letter or one of the following: !@#$% -> [0-9A-Za-z!@#$%]
    and there have to be 8-12 characters -> {8,12}

    You just need to change the regular expression to suit your requirements now.

    '/^[^\@]+@.*.[a-z]{2,15}$/i'


    This might be closer to code you need:-
            if (!preg_match('/^(?=.*\d)(?=.*[@#\-_$%^&+=§!\?])(?=.*[a-z])(?=.*[A-Z])[0-9A-Za-z@#\-_$%^&+=§!\?]{8,20}$/', $this->request->post['password'])) {
    
            $json['error']['password'] = $this->language->get('error_password');
    
        }


    at least one lowercase char
    at least one uppercase char
    at least one digit
    at least one special sign of @#-_$%^&+=§!?


    Perhaps it wouldn't be a good idea to be too strict with registration process as this could potentially prevent a sale.

    At least this shows where you would need to make the checks as means of an explanation.


    Regards,


    Hackasacka
    The reply is currently minimized Show
Your Reply