Skip to content
Permalink
Browse files Browse the repository at this point in the history
add password max length setting (#4287)
* add password max length setting

* comment fix
  • Loading branch information
bradymiller committed Mar 20, 2021
1 parent c593ec8 commit 28ca5c0
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 3 deletions.
10 changes: 10 additions & 0 deletions library/globals.inc.php
Expand Up @@ -1926,6 +1926,16 @@ function gblTimeZones()
xl('Minimum length of password.')
),

'gbl_maximum_password_length' => array(
xl('Maximum Password Length'),
array(
'0' => xl('No Maximum'),
'72' => '72',
),
'72', // default
xl('Maximum length of password (Recommend using the default value of 72 unless you know what you are doing).')
),

'password_history' => array(
xl('Require Unique Passwords'),
array(
Expand Down
39 changes: 36 additions & 3 deletions src/Common/Auth/AuthUtils.php
Expand Up @@ -540,7 +540,13 @@ public function updatePassword($activeUser, $targetUser, &$currentPwd, &$newPwd,
}

// Ensure password is long enough, if this option is on (note LDAP skips this)
if ((!$ldapDummyPassword) && (!$this->testPasswordLength($newPwd))) {
if ((!$ldapDummyPassword) && (!$this->testMinimumPasswordLength($newPwd))) {
$this->clearFromMemory($newPwd);
return false;
}

// Ensure password is not too long (note LDAP skips this)
if ((!$ldapDummyPassword) && (!$this->testMaximumPasswordLength($newPwd))) {
$this->clearFromMemory($newPwd);
return false;
}
Expand Down Expand Up @@ -849,12 +855,12 @@ private function rehashPassword($username, &$password)
}

/**
* Does the new password meet the length requirements?
* Does the new password meet the minimum length requirements?
*
* @param type $pwd the password to test - passed by reference to prevent storage of pass in memory
* @return boolean is the password long enough?
*/
private function testPasswordLength(&$pwd)
private function testMinimumPasswordLength(&$pwd)
{
if (($GLOBALS['gbl_minimum_password_length'] != 0) && (check_integer($GLOBALS['gbl_minimum_password_length']))) {
if (strlen($pwd) < $GLOBALS['gbl_minimum_password_length']) {
Expand All @@ -866,6 +872,33 @@ private function testPasswordLength(&$pwd)
return true;
}

/**
* Does the new password meet the maximum length requirement?
*
* The maximum characters used in BCRYPT hash algorithm is 72 (the additional characters
* are simply truncated, so does not break things, but it does give the erroneous
* impression that they are used to create the hash; for example, if I created a
* password with 100 characters, then only the first 72 characters would be needed
* when authenticate), which is why the 'Maximum Password Length' global setting is
* set to this number in default installations. Recommend only changing the
* 'Maximum Password Length' global setting if know what you are doing (for example, if using
* argon hashing and wish to allow larger passwords).
*
* @param type $pwd the password to test - passed by reference to prevent storage of pass in memory
* @return boolean is the password short enough?
*/
private function testMaximumPasswordLength(&$pwd)
{
if ((!empty($GLOBALS['gbl_maximum_password_length'])) && (check_integer($GLOBALS['gbl_maximum_password_length']))) {
if (strlen($pwd) > $GLOBALS['gbl_maximum_password_length']) {
$this->errorMessage = xl("Password too long. Maximum characters allowed") . ": " . $GLOBALS['gbl_maximum_password_length'];
return false;
}
}

return true;
}

/**
* Does the new password meet the strength requirements?
*
Expand Down

0 comments on commit 28ca5c0

Please sign in to comment.