Greetings.

This is a snippet I found that forces new members to use an alphanumeric password. Actually, this script works exactly as it should, except… It insists on calling my cgi script “EVEN” if the wrong value in entered. In other words, instead of halting the process, it displays the alert message, but when you click “OK”, it calls the script anyway. This sort of defeats the purpose.

I know very little about Java scripting, other than how to cut and paste whatever I can find. Something simple here is missing. Would anyone know what that is? Have a look:

<script language="Javascript">
function chkFormat(){
var bad=0;
var req='';

if ((document.myform.password_1.value.length < 6)||(document.myform.password_1.value.length >10)){
req = req + 'Password must be 6-10 characters\n';
bad=1;}

var re_alphanum = /^[a-zA-Z0-9]{6,10}$/;
if (!re_alphanum.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, non-alphanumeric characters: '+ document.myform.password_1.value+'\n';
bad=1;}

var re_alpha = /[a-zA-Z]/;
if (!re_alpha.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, One alphanumeric character is required: '+ document.myform.password_1.value+'\n';
bad=1;}

var re_num = /[0-9]/;
if (!re_num.exec(document.myform.password_1.value)){
req = req + 'Invalid Password format, One numeric character is required: '+ document.myform.password_1.value+'\n';
bad=1;}

if (bad){
alert('The Following Problems were Encountered:\n'+req);
return false;
}else{
alert('Good Password');
return true;
}
}
</script>


<body bgcolor="#FFFFFF" text="#000000">
<form name="myform" method="post" action="http://mydomain.com/cgi-bin/script.cgi" javascript:void(0);" onsubmit="chkFormat();">
<input type="text" name="password_1">
<input type="submit" name="Submit" value="Submit">
</form>


Would really appriciate any help,

Dave H

I'm not a javascript expert, but it looks like the javascript part is okay... looks more like the HTML part is broken, especially this line:

There's a seemingly extra chunk of text: 'java script:void(0);"' which occurs outside of the action="" and onsubmit="" parts, so that is probably part of the problem.... also, I'm guessing that you don't actually want the action="" part to be a reference to the script, since it will submit it to that cgi script and call your chkFormat() script at the same time; the form gets submitted regardless, and the return value (true or false) from chkFormat() just gets ignored. I think your action="" needs to be action="javascript:void(0);", and onsubmit="" needs to call a second javascript function that decides what to do depending on whether chkFormat() succeeds or fails; that second function could call chkFormat(), and if it succeeds, submit the form to your cgi script; if it fails, just return and don't do anything.

I'm not sure what else to tell ya... Find another site that does what you're looking for and see how they did it

Indeed. After 2-days of looking around, I finally found it. All that needed to be changed was this:

Replace:

onsubmit="chkFormat();"

With:

onsubmit="return chkFormat();" and it works :-)

After looking at every major java script site in the world, I’m really surprised at the lack of ‘working’ alphanumeric examples, that webmasters can deploy to deter users from assigning themselves ‘hack friendly’ passwords.

During my travels, I observed archives of scripts that could accomplish some amazingly impressive stuff, yet little or nothing in the password security department. While I am sure there are many other ways to do this, the java script route can certainly be the fastest and easiest. In any event, it’s working well, and I’m finally seeing signups that are using strong passwords.

Well.. If anyone else on this form is looking for a way to discourge the use of "brute force friendly passwords", hopefully this small snippet will help

Appriciate your reply wapcaplet,

Dave H

If you're really concerned about password security, you might want to look into establishing a secure (encrypted) transmission using HTTPS, if you haven't already; normally, text is sent to and from websites without any encryption, so anyone monitoring the traffic could read the passwords.

True enough. I provide a specialty information information resource, which is accessible to members for a small annual fee. While I personally attribute great value to my resource, I’m not so sure it would be of interest to most crackers, and or most of the world for that matter, so on a security priority from 1 to 10, I’d probably label my stuff about a 4.

I should also point out that I ‘have’ managed to successfully kill brute force attacks; event at a rate of 1 proxy per 3 attempts, or less. Using a simple php script, and Mysql, I’m able to write each failed attempt to the db, and then back to the .htaccess file. It’s remarkably efficient. For testing, I used a high-powered server on a DS3 connection to pound the daylights out of it through multiple proxy’s, and the highest load I could drive (my server here) up to, never exceeded 1.00 after 10-minutes.

The only downside, is that my members are limited to 4 unsuccessful attempts before they trip the kill reaper, and at which point they much contact me to clear the block, or wait 12-hours until my cron job clears the db and .htaccess file. Most of them know this, so problems have been minimal.

Anyway… I wanted an added level of protection by eliminating what are essentially ‘dumb’ passwords during the signup process, and I’ve managed to accomplish that

Thanks again,

D.