From 325b123bdf5d6cc43cdbeeedd461a8f395fc1541 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Tue, 19 Apr 2011 23:27:14 +0200
Subject: #637: Remove example password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#637: "Password suggestion always the same"

Signed-off-by: Michael Tänzer <neo@nhng.de>
---
 pages/index/1.php | 4 +---
 pages/index/6.php | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/pages/index/1.php b/pages/index/1.php
index d9ce8a8..f4343e7 100644
--- a/pages/index/1.php
+++ b/pages/index/1.php
@@ -18,9 +18,7 @@
 <p><?=_("By joining CAcert and becoming a Member, you agree to the CAcert Community Agreement. Please take a moment now to read that and agree to it; this will be required to complete the process of joining.")?></p>
 <p><?=_("Warning! This site requires cookies to be enabled to ensure your privacy and security. This site uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.")?></p>
 <p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
-<b><?=_("In light of the number of people having issues with making up a password we have the following suggestions:")?></b><br><br>
-<?=_("To get a password that will work, we suggest the following example")?>: Fr3d Sm|7h<br><br>
-<?=_("This wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?><br><br>
+<?=_("A proper password wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?><br><br>
 <b><?=_("Note: White spaces at the beginning and end of a password will be removed.")?></b>
 </p>
 
diff --git a/pages/index/6.php b/pages/index/6.php
index 8eefa44..fe57d81 100644
--- a/pages/index/6.php
+++ b/pages/index/6.php
@@ -16,9 +16,7 @@
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
 <p style="border:dotted 1px #900;padding:0.3em;background-color:#ffe;">
-<b><?=_("In light of the number of people having issues with making up a password we have the following suggestions:")?></b><br><br>
-<?=_("To get a password that will work, we suggest the following example")?>: Fr3d Sm|7h<br><br>
-<?=_("This wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?>
+<?=_("A proper password wouldn't match your name or email at all, it contains at least 1 lower case letter, 1 upper case letter, a number, white space and a misc symbol. You get additional security for being over 15 characters and a second additional point for having it over 30. The system starts reducing security if you include any section of your name, or password or email address or if it matches a word from the english dictionary...")?>
 </p>
 
 <form method="post" action="index.php" autocomplete="off">
-- 
cgit v1.2.1


From 62f99b561a13e51e8f4d55a36092de536c531d99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Tue, 19 Apr 2011 23:39:14 +0200
Subject: #637: Force users to change their password if weak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#637: "Password suggestion always the same"

Signed-off-by: Michael Tänzer <neo@nhng.de>
---
 pages/account/14.php | 10 ++++++++++
 www/index.php        |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/pages/account/14.php b/pages/account/14.php
index 342ab46..29aeb21 100644
--- a/pages/account/14.php
+++ b/pages/account/14.php
@@ -15,6 +15,16 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ ?>
+<?
+	if (intval($_REQUEST['force']) === 1)
+{
+?>
+
+<p style="border:dotted 1px #900;padding:0.3em;bold;color:#ffffff;background-color:#ff0000;"><strong><center>
+<?=_("For your own security you should change your pass phrase immediately!"); ?></center></strong>
+</p>
+<?}?>
+
 <form method="post" action="account.php">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper" width="400">
   <tr>
diff --git a/www/index.php b/www/index.php
index fb215c6..2634a47 100644
--- a/www/index.php
+++ b/www/index.php
@@ -332,6 +332,8 @@
 				$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
 				$_SESSION['_config']['oldlocation'] = "account.php?id=13";
 			}
+			if ($pword === "Fr3d Sm|7h")
+				$_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
 			if($_SESSION['_config']['oldlocation'] != "")
 				header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
 			else
-- 
cgit v1.2.1


From e7368868ba88433956ad034fb7883d2dcd9566be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Wed, 22 Jun 2011 00:21:45 +0200
Subject: #637: Move a subset of password checks to a separate function and
 check it on every login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The subset are some very lightweight checks that contains the check for the
old password suggestion

Signed-off-by: Michael Tänzer <neo@nhng.de>
---
 includes/general.php | 15 +++++++++++++--
 www/index.php        |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/includes/general.php b/includes/general.php
index 5789875..aa74e9b 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -248,8 +248,7 @@
 		}
 	}
 
-	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
-	{
+	function checkpwlight($pwd) {
 		$points = 0;
 
 		if(strlen($pwd) > 15)
@@ -279,7 +278,19 @@
 			$points++;
 
 		//echo "Points due to length and charset: $points<br/>";
+		
+		// check for historical password proposal
+		if ($pwd === "Fr3d Sm|7h") {
+			return 0;
+		}
+		
+		return $points;
+	}
 
+	function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
+	{
+		$points = checkpwlight($pwd);
+		
 		if(@strstr(strtolower($pwd), strtolower($email)))
 			$points--;
 
diff --git a/www/index.php b/www/index.php
index 2634a47..d42a4dc 100644
--- a/www/index.php
+++ b/www/index.php
@@ -332,7 +332,7 @@
 				$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
 				$_SESSION['_config']['oldlocation'] = "account.php?id=13";
 			}
-			if ($pword === "Fr3d Sm|7h")
+			if (checkpwlight($pword) < 3)
 				$_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
 			if($_SESSION['_config']['oldlocation'] != "")
 				header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
-- 
cgit v1.2.1