LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 02-24-2004, 01:50 PM   #1
dholingw
Member
 
Registered: Dec 2003
Distribution: Cent OS 4.1
Posts: 38

Rep: Reputation: 15
Why won’t this Java Script Work?


Greetings.

This is a snippet I found that forces new members to use an alphanumeric password. Actually, this script works exactly as it should, except… It insists on calling my cgi script “EVEN” if the wrong value in entered. In other words, instead of halting the process, it displays the alert message, but when you click “OK”, it calls the script anyway. This sort of defeats the purpose.

I know very little about Java scripting, other than how to cut and paste whatever I can find. Something simple here is missing. Would anyone know what that is? Have a look:

<script language="Javascript">
function chkFormat(){
var bad=0;
var req='';

if ((document.myform.password_1.value.length < 6)||(document.myform.password_1.value.length >10)){
req = req + 'Password must be 6-10 characters\n';
bad=1;}

var re_alphanum = /^[a-zA-Z0-9]{6,10}$/;
if (!re_alphanum.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, non-alphanumeric characters: '+ document.myform.password_1.value+'\n';
bad=1;}

var re_alpha = /[a-zA-Z]/;
if (!re_alpha.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, One alphanumeric character is required: '+ document.myform.password_1.value+'\n';
bad=1;}

var re_num = /[0-9]/;
if (!re_num.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, One numeric character is required: '+ document.myform.password_1.value+'\n';
bad=1;}

if (bad){
alert('The Following Problems were Encountered:\n'+req);
return false;
}else{
alert('Good Password');
return true;
}
}
</script>


<body bgcolor="#FFFFFF" text="#000000">
<form name="myform" method="post" action="http://mydomain.com/cgi-bin/script.cgi" javascript:void(0);" onsubmit="chkFormat();">
<input type="text" name="password_1">
<input type="submit" name="Submit" value="Submit">
</form>


Would really appriciate any help,

Dave H
 
Old 02-25-2004, 02:43 PM   #2
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
I'm not a javascript expert, but it looks like the javascript part is okay... looks more like the HTML part is broken, especially this line:

Code:
<form
name="myform"
method="post"
action="http://mydomain.com/cgi-bin/script.cgi"
java script:void(0);"
onsubmit="chkFormat();">
There's a seemingly extra chunk of text: 'java script:void(0);"' which occurs outside of the action="" and onsubmit="" parts, so that is probably part of the problem.... also, I'm guessing that you don't actually want the action="" part to be a reference to the script, since it will submit it to that cgi script and call your chkFormat() script at the same time; the form gets submitted regardless, and the return value (true or false) from chkFormat() just gets ignored. I think your action="" needs to be action="javascript:void(0);", and onsubmit="" needs to call a second javascript function that decides what to do depending on whether chkFormat() succeeds or fails; that second function could call chkFormat(), and if it succeeds, submit the form to your cgi script; if it fails, just return and don't do anything.

I'm not sure what else to tell ya... Find another site that does what you're looking for and see how they did it

Last edited by wapcaplet; 02-25-2004 at 02:44 PM.
 
Old 02-25-2004, 03:05 PM   #3
dholingw
Member
 
Registered: Dec 2003
Distribution: Cent OS 4.1
Posts: 38

Original Poster
Rep: Reputation: 15
Indeed. After 2-days of looking around, I finally found it. All that needed to be changed was this:

Replace:

onsubmit="chkFormat();"

With:

onsubmit="return chkFormat();" and it works :-)

After looking at every major java script site in the world, I’m really surprised at the lack of ‘working’ alphanumeric examples, that webmasters can deploy to deter users from assigning themselves ‘hack friendly’ passwords.

During my travels, I observed archives of scripts that could accomplish some amazingly impressive stuff, yet little or nothing in the password security department. While I am sure there are many other ways to do this, the java script route can certainly be the fastest and easiest. In any event, it’s working well, and I’m finally seeing signups that are using strong passwords.

Well.. If anyone else on this form is looking for a way to discourge the use of "brute force friendly passwords", hopefully this small snippet will help

Appriciate your reply wapcaplet,

Dave H
 
Old 02-25-2004, 04:12 PM   #4
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
If you're really concerned about password security, you might want to look into establishing a secure (encrypted) transmission using HTTPS, if you haven't already; normally, text is sent to and from websites without any encryption, so anyone monitoring the traffic could read the passwords.
 
Old 02-25-2004, 04:41 PM   #5
dholingw
Member
 
Registered: Dec 2003
Distribution: Cent OS 4.1
Posts: 38

Original Poster
Rep: Reputation: 15
True enough. I provide a specialty information information resource, which is accessible to members for a small annual fee. While I personally attribute great value to my resource, I’m not so sure it would be of interest to most crackers, and or most of the world for that matter, so on a security priority from 1 to 10, I’d probably label my stuff about a 4.

I should also point out that I ‘have’ managed to successfully kill brute force attacks; event at a rate of 1 proxy per 3 attempts, or less. Using a simple php script, and Mysql, I’m able to write each failed attempt to the db, and then back to the .htaccess file. It’s remarkably efficient. For testing, I used a high-powered server on a DS3 connection to pound the daylights out of it through multiple proxy’s, and the highest load I could drive (my server here) up to, never exceeded 1.00 after 10-minutes.

The only downside, is that my members are limited to 4 unsuccessful attempts before they trip the kill reaper, and at which point they much contact me to clear the block, or wait 12-hours until my cron job clears the db and .htaccess file. Most of them know this, so problems have been minimal.

Anyway… I wanted an added level of protection by eliminating what are essentially ‘dumb’ passwords during the signup process, and I’ve managed to accomplish that

Thanks again,

D.

Last edited by dholingw; 02-25-2004 at 04:42 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BootP won;t work but DHCP will rhaley Linux - Networking 1 06-10-2005 12:37 PM
Speedstepping on IBM Thinkpad T20 won´t work atzalan Linux - Laptop and Netbook 0 11-23-2004 04:53 AM
Cronjob won`t work in /var nodger Linux - Software 3 11-02-2004 07:44 PM
Boot screen won,t work help!!!!!! drysac Mandriva 4 11-02-2004 01:07 PM
Why won’t this init.d startup script work? dholingw Linux - Software 2 06-08-2004 03:40 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 07:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration