Force Strong Passwords - Appgini V5.81

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-01-16 08:06

By default, AppGini accepts ANY password with a minimum of 4 characters.

Strong passwords (combination of uppercase, lowercase, numeric, special character and at least 8 characters) can be enforced by editing several core files.

Files requiring editing:
  • membership_profile.php
  • membership_signup.php
  • admin/pageEditMember.php
  • language.php
  • language-admin.php
For anybody who is interested, rather than explain how to, I've attached all of the edited files required. Editing is minimal and code has only been added - no major hacks involved. The attached edited files apply to AppGini Version 5.81 only. I think everything required is covered.

All new/edited code is commented so just search "strong password" in each file to see what's been added. Only one line added to the bottom of each language file. This was a requirement for me - hopefully it may be of use to somebody else. Feel free to edit to your own requirements.

Just be aware that if these are core generated AppGini files - you will need to replace them if you ever regenerate your app again as they WILL be overwritten. If you do use this, please take a backup of your original files first.
Attachments
Strong-Passwords-V581.zip
(28.21 KiB) Downloaded 14 times

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 422
Joined: 2019-05-21 22:42
Contact:

Re: Force Strong Passwords - Appgini V5.81

Post by onoehring » 2020-01-17 10:03

Hi peebee,

I did not test yet, but thanks for sharing.

Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-09 10:46

Thanks Peebee, I'll definitely going to try this. I did post this question about minimum password requirement ages ago, but no one replied.. I think this should be part of application instead editing several files which will be overwritten on your next upload...

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 422
Joined: 2019-05-21 22:42
Contact:

Re: Force Strong Passwords - Appgini V5.81

Post by onoehring » 2020-02-09 14:31

Hi aarlauskas & peebee,

I agree with you. After also appreciating peebee's work, I was thinking, that this "complex password"-stuff is outdated. We should simply add the need to have a longer password than X characters and maybe a prohibited list of words, so noone uses "password" and similar as password.

Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-10 22:38

Hi Peebee, I've just tried your attached files, but it does not seem to work for me for some reason. I did compare your files prior just to see exaclty what work you done and could not find anything table or db specific but your extra code. There is only one file (membership_signup) that has your Application name in it at the top, so I have changed that to the name of my application. The rest of the files just a core files as you mentioned. So I just replaced my files with yours and then tried reseting password on one of the users, just entered password 1234 and that just gone fine, I could access my website no problem. So, what am I missing here? That is very serious security issue really. If one of the idiot users decides to create a password of 1234 or similar, then there is a lot of data can be exposed .... This really needs to be looked up at integrating as a standard option when creating web applications..

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-11 06:34

Hmmm? It's working fine for me and I don't think I forgot to add anything in the upload? I've used this on a few apps so far - never failed. I just compared the files in the upload to what I'm using myself and they are the same? Should be working??

Q. Where (which page) did you change the password and it didn't work? Did you try through Admin, User Profile and signup? Any success anywhere?

Q. Can you see the new language strings under the password text areas?

The updated files: No table or database specific code required. Just some minimal additional code to be added to the generated files mentioned.

NOTES:
$app_name = " " - Yes, an oversight on my part! I should have noted that $app_name = " " at the top of membership_signup.php needs to changed to your own app name. Shouldn't stop anything from working though? It's only used for email notifications?

I probably should also have added that this will NOT prevent you from logging in with a weak password that has ALREADY been saved/hashed in your database prior to the updated files being loaded. In other words - it has no effect on any existing passwords.

It WILL (or should at least) once loaded prevent you from creating a new weak password without minimum requirements and it will also prevent you from changing your existing password to a new weak password.

Strong passwords (in this format) for me is an absolute security requirement as my apps are professionally penetration tested by data auditors. It will not pass the test without it.

For testing, I'll create a new test app upload my new files and report back soon.

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 422
Joined: 2019-05-21 22:42
Contact:

Re: Force Strong Passwords - Appgini V5.81

Post by onoehring » 2020-02-11 06:39

Hi aarlauskas,

just a quick fix.
You can change the password length that AG needs in just two files: membership_profile.php and membership_signup.php.
Open membership_profile.php. Search for

Code: Select all

if(strlen($password) < 4 || trim($password) != $password) {
and replace the 4 with the minimum characters you want to allow.

Open membership_signup.php. Search for

Code: Select all

if(strlen($newPassword) < 4) {
and replace the 4 with the minimum characters you want to allow. Of course, this should be the same value as before.

You will probably want to open the language.php file as well and adjust the hint: Open language.php, search for

Code: Select all

$Translation['password invalid']
and replace the number of characters with your new character count.

Well, this can of course be put into a database, so that the admin can change the required password length to something. If put into the database solution, one can easily add checking for forbidden passwords. I suggest getting a list of passwords from the internet you want to disallow and run them through the password algorithm used by AG: sha256. Then you can easily compare the new password from the user against the password list. If a match occurs, tell the user the password is not allowed.
When I find some time ... well, I put this on my todo list (but do not wait for it).

Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-11 07:12

For testing: I just loaded an untouched app that I downloaded from AppGini's GitHub account. (https://github.com/bigprof-software/onl ... ing-system)

I replaced ONLY the files in my original upload (with no further edits - not even changing the $app_name = " " variable).

Worked a treat. Not sure why it's not working for you?

One thing I have just noticed though: as I have it at the moment, the strong password rules don't apply to the actual Super Admin password - only all Admins and regular Members. Looks like I need to edit admin/pageSettings.php too. I'll look into it.

Yes Olaf, very easy to extend the length of the password as you suggest but sadly limiting the password length to 8 characters or more doesn't stop users from entering "password" or "12345678" as the password. You would need to add literally thousands (more?) of "weak" passwords to your list to prevent some of the brute force tools out there.

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 422
Joined: 2019-05-21 22:42
Contact:

Re: Force Strong Passwords - Appgini V5.81

Post by onoehring » 2020-02-11 07:35

Hi peebee,

I agree, it's difficult, and a problem noone has really solved yet ;-)
Nevertheless, maybe adding the top 100 or top 1000 passwords to the list is enough. Also setting the minimum length to 10 should most likely prevent simple passwords.
Maybe check out the two-factor authentication (see my footer) as well to add more security to your applications. The add-on does not force all users to use 2FA, but this should be easy to change.

Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-12 13:40

Hi Guys, Thanks for your replies. I'll try again when get a minute, maybe I missed something.. The way I tried this: on the login screen (under password field) I clicked on password reset link, entered user name (random, test user, created for this purpose, not admin), then received an email with password reset link, then clicked on that link in email and entered new password (1234). The change was approved by the system without warning. I could then login with new password (1234).. Thanks for your work, I'm sure we'll get this to work 🙂

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-12 21:15

Hi Peebee, so I just tried the same thing as you, downloaded the project from https://github.com/bigprof-software/onl ... ing-system and then just dropped your ready files in there. Then I logged out of application and on the login screen (under password field) I clicked on password reset link, entered user name (random, test user, created for this purpose, not admin), then received an email with password reset link, then clicked on that link in the email and entered new password (222) . The change was approved by the system without warning, I could login to the app with the password of 222. Then I went into super admin account and selected this the same user from the members tab. I have then tried changing the password for this user to 1234, the warning popped up stating about weak password and asking to go back. Means the code somehow working if logged on as super admin and changing the password for the user, BUT nothing stops that user to go back to the login screen and reset the password to anything he likes by clicking on password reset link that he gets in his email.. :?: Please note, I could even change the password to 2 and 3 characters only, didnt even warn about minimum 4 characters.. Of dear :D Please help..

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-12 21:58

Ah, yes aarlauskas, part of what you report would be correct. Password function exists in more places than I had expected.

My security audit requires me to remove the "password reset" function so I must admit I hadn't even touched that. I will get onto that now. Hopefully shouldn't be too hard to fix. Sorry for the inconvenience. Yest another oversight on my part.

It's not that it only works for Super Admin when changing a user's password. If any User (including non-Admins) visits their profile page from within the app (/membership_profile.php), they also can't change their password there unless it conforms to strong password criteria.

I'll get back with an updated version soon.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-12 23:59

OK, I've now added strong password policy to the "password reset" function and all should be working correctly everywhere now - except for the Super Admin password that I haven't quite got to yet.

Just one additional file added to the new V2 upload below (/membership_passwordReset.php)

So now, strong password policy should apply to:
1. New sign-ups
2. Membership Profile change of password
3. Admin area change of password
4. Password reset function

Hopefully I've covered everything this time around. I'll get to the Super Admin password when I can but for me it's not quite so important as of course strong passwords are used in the first instance. Any comments/suggestions are welcome.
Strong-Passwords-V581-V2.zip
(30.87 KiB) Downloaded 2 times

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-13 03:51

V3 below now includes all of the above plus one more additional edited file added (admin/pageSettings.php) to enforce strong password on resetting the Super Admin password.

Only thing I can see that's missing now is enforce strong password for Super Admin when you first install/configure the app. I took a quick look and it. Might require more time than I have available at the moment. Maybe later.

Any comments or edits are welcome.
Attachments
Strong-Passwords-V581-V3.zip
(34.75 KiB) Downloaded 4 times

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-13 11:27

Hi Peebee, yes the password reset link now prompts to set strong password, which is great! I can see small glitches in the way the system accepts the passwords. So, the system should force you to ensure there is one capital letter, one number one special character and minimum 8. These are just two of examples of what I tried: Hellom@n (passed, but no number); h3llom@n (passed, but no capital letter). It’s just little strange how it combines them. The following passwords failed by the system, which is great. (helloman, Helloman, h3lloman, hellom@n, H3llm@n). To be honest from what I had (nothing) and what you have achieved with your code, I’m not too fuss about this glitch. The Super Admin part is not important to me, because its only me who manages this, so I can ensure my password is 2 miles long.. For me the most important bit was the reset link on login screen, because that’s how I enrolled everyone to join my application. I have created accounts for everybody with temp password and then asked people to reset the password to their own on login screen/reset link.. didn’t realize there was no any restriction on password strength, people could simply put number 1 in there and that will be fine.. Send me your PayPal email, I’ll drop you $20, so you can have coffee and doughnuts on me :D I do appreciate your work Mate. THANK YOU!

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-13 22:35

Glad to hear it's working for you and suits your purpose aarlauskas. Thanks also for the generous offer of payment but seriously not necessary. Happy to assist if/when I can.
I can see small glitches in the way the system accepts the passwords.
Not actually a glitch. As it is at the moment (and I probably should have pointed out earlier), only 3 or the 4 classes (uppercase/lowercase/numeric/special character) is required. That is sufficient for my apps to pass penetration test. I left the language file to indicate all 4 criteria are required but that's not actually the case. Humans being humans, there's a good possibility most Users will likely try with something less than is required first off anyhow.

You can easily change the code to include a 4 classes if you'd prefer. Just find this line in each of the files and edit from:

Code: Select all

// must have at least one character of at least 3 of the above 4 classes
		if($no_shows > 1) return false;
to:

Code: Select all

// must have at least one character of at least 3 of the above 4 classes
		if($no_shows > 0) return false;
or you could edit the language files to indicate that only 3 of 4 classes is required if preferred.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Force Strong Passwords - Appgini V5.81

Post by peebee » 2020-02-13 22:56

PS: I realise that this is far from a perfect fix for the issue in that there are now 7 x core files that require editing, ALL of which will need to be replaced if your app is regenerated/overwritten. Strong password policy is a requirement for me (and probably should be for most applications) but until the option is built into Appgini by default, I can't see any other way around it other than to edit core files. Any other alternative would be greatly appreciated if there is one out there?

aarlauskas
Veteran Member
Posts: 36
Joined: 2019-04-28 18:03

Re: Force Strong Passwords - Appgini V5.81

Post by aarlauskas » 2020-02-14 07:32

Thanks Peebee! This fix is perfect for me and it should definitely be integrated in the actual Appgini program. Security is the top priority these days. Honestly, Appgini isn't the tool for keeping the count of how many eggs I have left in my fridge for god sake.. (maybe for some). The team should concentrate on safety first before releasing anything else. Thanks a lot for your hard work Peebee, much appreciated. Have a great weekend.

Post Reply