allowed password characters

K

kitchin

Verified User
Joined
May 21, 2014
Messages
27
I searched high and low and could not find the answer, so I tested what password characters are allowed when modding users from the Reseller screen.
I found all special characters from ASCII 33 (!) to ASCII 126 (~) are ok except:

/ forwardslash
\ backslash
` backtick

Is it system dependent? I'm on CentOS 5, DirectAdmin 1.45.2.1.

I plan to mod the javascript random password generator on HTM_ACCOUNT_USER_CREATE. Should I expect any problems?

By the way the error message is unhelpful:
"Invalid characters in password"

There it is if anyone else searches on it. Not much in Google.

The option "Difficult Password Enforcement" in CMD_ADMIN_SETTINGS enables this script:
/usr/local/directadmin/scripts/difficult_password.php
If has some commented out code for what it calls "shift characters", in enforce_shift_chars(). I realize it is used in other situations than the one I am looking at, creating users under Reseller.

The enforce_shift_chars(), uncommented, looks for at least one character from a list. The list differs from my list above as follows:

add: / forwardslash
del: " doubelquote
del: ' singlequote
del: [ leftbracket
del: ] right bracket

Seems reasonable. I'm not arguing for every character, just trying to document what works.
 
The logic to validate a password is as follows:

1) Cannot have space, \ or /
2) Ascii Range (' '<= ch && ch <='~') are allowed
3) Ascii Range (128<=ch && ch<=255) are allowed
4) Absolute lengths must be > 3 and < 64
5) Must pass the difficult_password.php script check, if enabled.

You may notice #2 allows spaces, but #1 does not. First rule takes priority, hence they're not allowed, as the ascii range check is used for other areas like "is sentence", etc.. so no, spaces are not allowed for a password at the moment.

Note, if you turn on ajax=1, DA will check all of this, including the difficult_password.php for each character entered into a password field.
Also, the "random password" buttons will get the password from DA itself (checks the difficult_password.php until it works), rather than javascript, which is a guess in the dark.

We may be turning on ajax=1 as the default in a future release, as it's got many benefits, eg:
http://www.directadmin.com/features.php?id=1560
http://www.directadmin.com/features.php?id=1312
http://www.directadmin.com/features.php?id=1597 (upcoming feature)

John
 
Great info, ajax=1 sounds good. I must have tested ` wrong. So, correction to my original post,

` backtick IS allowed

And the difficult_password_check.php regex ignores *five* special characters: `"'[]

I doubt I'll be be using ` in a password, but / is pretty common on other systems, so that is a bit of a gotcha. Might be a reason to list the allowed characters on the error screen. Or the disallowed characters.

Here is a fix to difficult_password_check.php, with the characters in ASCII order and less tooth-picky:
PHP: 
function has_shift_chars($str)
{
	//return ereg("[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+", $str);
	//return preg_match("/[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+/", $str);
	// characters: !"#$%&'()*+,-.:;<=>?@[]^_`{|}~  ( all ASCII 33-126 non-alphanumerics except /\ ) 
	$chs = '!"#$%&()*+,-.:;<=>?@[]^_`{|}~' . "'";
	for ( $i = 0; $i < strlen($chs); $i++ ) if ( strpos( $str, $chs[$i] ) !== false ) return true;
}
 
You must log in or register to reply here.
Back
Top