NAME

Data::Password::BasicCheck - Basic password checking

SYNOPSIS

use Data::Password::BasicCheck;

# Create a password checker object. We require that passwords
# are at least 6 characters long, and no more than 8. We also
# require that there are at least L/2 different symbols in the
# password, where L is the password length. So, for a 6 caracter
# long password, we require at least 3 different symbols, for
# 8 characters long password we require at least 4 different
# symbols, for 7 characters long password we again require
# 4 symbols, since 7 *.5 = 3.5, which rounds to 4.

my $pwcheck = Data::Password::BasicCheck->new(6, # minimal length
                                              8, # maximum length
                                              .5) ; # symbol factor

my $ok = $pwcheck->OK ;
my $check = $pwcheck->check('My!Pass1','bronto',
                            'Marco', 'Marongiu',
                            'Los Angeles','1971 03 17') ;

unless ($check eq $ok) { die "Please choose a better password" }
print "Greetings! Your password was good :-)\n\n" ;

ABSTRACT

This class is used to build basic password checkers. They don't match password against dictionaries, nor they do complex elaborations. They just check that minimal security conditions are verified.

If you need a more accurate check, e.g. against a dictionary, you should consider using a different module, like Data::Password.

DESCRIPTION

Data::Password::BasicCheck objects will do the following checks on the given passwords:

  • password length is in a defined range that is estabilished at object creation;

  • there are at least pL symbols in password, where L is password length and p is 0 < p =< 1. If not specified at object creation we assume p = 2/3 (that is: 0.66666...)

  • password contains alphabetic characters, digits and non-alphanumeric characters;

  • rotations of the password don't match it (e.g.: the password a1&a1& matches itself after three rotations)

  • after cleaning away digits and symbols, the password, its reverse and all possible rotations don't match any personal information given (name, surname, city, username)

METHODS

new

creates a password checker object. Takes two mandatory arguments and an optional third argument. The are: minimal and maximal password length and a symbol factor, which defaults to 2/3 (0.6666....). A symbol factor is a number p such that 0 < p <= 1. Given p, a password of length L must contain at least round(p*L) characters. For example, a 6-character long password must contain at least 4 different symbols by default.

minlen

returns the minimal password length as defined upon object creation.

maxlen

returns the maximal password length as defined upon object creation.

psym

returns the symbol factor as defined upon object creation, or the default one otherwise.

check

Takes a password to check as first argument, and an arbitrary length list of personal data (e.g.: user's ID, name, surname, city, birthdate...) It first checks that the password in itself is good; if it isn't, checks to see if there exists at least a segment of minimal length that could be considered secure. It returns an integer value, starting from 0, whose meaning is:

'0'

password ok

1

password too short

2

password too long

3

password must contain alphabetic characters, digits and non-alphanumeric symbols;

4

not enough different symbols in password

5

password matches itself after some rotations

6

password matches personal information

127

password too weak: security checks have failed on the password and on all minimal length segments of it

WHY WE FALL BACK TO MINIMAL LENGTH SUBPASSWORDS

If you establish that passwords should have a minimal length of 5 characters and a maximal length of 20, you should consider that your system's security depends on password having at least a 5 character long segment that can be considered secure. Since it was hard for me to understand it at first, I'll explain this by example to make it clear.

So, let's suppose that we want passwords from 5 to 15 characters long, with a psym factor of 2/3. The password 1pas; could be considered secure (it has numbers, symbols and alphabetic characters, and each character is unique). What about the password 1pas;aaaaaaaaaa? Well, it won't pass the test for repeated characters (it has 11 a's for an overall length of 15); but you surely noticed that it is exactly the previous password padded with a's to the maximum length. Since the first password was considered secure, we can't consider the second less secure than it, the same way we don't make our car less secure if, besides the normal locks, we add a steering wheel locker (in fact, it should be more secure).

Therefore, if the full length password can be considered secure, that's good. If it's not, but a minimal length segment is, that segment is good, and the rest of the password is added noise, which makes it more secure and not easier to guess.

TO DO

  • Implement more advanced techniques with Quantum::Superpositions, as suggested by larsen <http://perlmonks.org/index.pl?node=larsen>

SEE ALSO

The book Essential System Administration, by Aeleen Frisch, printed by O'Reilly and Associates;

The PerlMonks web site, http://www.perlmonks.org/, where the ideas behind this module have been largely discussed.

Many people among the Italian Perl Mongers, which you can find on IRC on the channel #nordest.pm on slashnet

AUTHOR

Marco Marongiu, <bronto@cpan.org>

COPYRIGHT AND LICENSE

Copyright 2003 by Marco Marongiu

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

7 POD Errors

The following errors were encountered while parsing the POD:

Around line 284:

Expected text after =item, not a number

Around line 288:

Expected text after =item, not a number

Around line 292:

Expected text after =item, not a number

Around line 297:

Expected text after =item, not a number

Around line 301:

Expected text after =item, not a number

Around line 305:

Expected text after =item, not a number

Around line 309:

Expected text after =item, not a number