Password policy: MDL-17602 new "max consecutive identical characters" setting

diff --git a/admin/settings/security.php b/admin/settings/security.php
index cbd405e7e918b01e3572d10ee87fa5bad9b4e67c..8144a2cf4bc2b395b7eab5b717710503f194602e 100644 (file)
--- a/admin/settings/security.php
+++ b/admin/settings/security.php
@@ -66,6 +66,7 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
     $temp->add(new admin_setting_configtext('minpasswordlower', get_string('minpasswordlower', 'admin'), get_string('configminpasswordlower', 'admin'), 1, PARAM_INT));
     $temp->add(new admin_setting_configtext('minpasswordupper', get_string('minpasswordupper', 'admin'), get_string('configminpasswordupper', 'admin'), 1, PARAM_INT));
     $temp->add(new admin_setting_configtext('minpasswordnonalphanum', get_string('minpasswordnonalphanum', 'admin'), get_string('configminpasswordnonalphanum', 'admin'), 1, PARAM_INT));
+    $temp->add(new admin_setting_configtext('maxconsecutiveidentchars', get_string('maxconsecutiveidentchars', 'admin'), get_string('configmaxconsecutiveidentchars', 'admin'), 3, PARAM_INT));
     $temp->add(new admin_setting_configcheckbox('disableuserimages', get_string('disableuserimages', 'admin'), get_string('configdisableuserimages', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('emailchangeconfirmation', get_string('emailchangeconfirmation', 'admin'), get_string('configemailchangeconfirmation', 'admin'), 1));
     $ADMIN->add('security', $temp);

diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
index 58b45df9804dc70c0505fa655d3fcc2f01a57e8b..0e4134ebd9c8dfe88ecfa960778d1292e1568b32 100644 (file)
--- a/lang/en_utf8/admin.php
+++ b/lang/en_utf8/admin.php
@@ -186,6 +186,7 @@ $string['configmaxevents'] = 'Events to Lookahead';
 $string['configmemcachedhosts'] = 'For memcached. Comma-separated list of hosts that are running the memcached daemon. Use IP addresses to avoid DNS latency. memcached does not behave well if you add/remove hosts on a running setup.';
 $string['configmemcachedpconn'] = 'For memcached. Use persistent connections. Use carefully -- it can make Apache/PHP crash after a restart of the memcached daemon.';
 $string['configmessaging'] = 'Should the messaging system between site users be enabled?';
+$string['configmaxconsecutiveidentchars'] = 'Passwords must not have more than this number of consecutive identical characters. Use 0 to disable this check.';
 $string['configminpassworddigits'] = 'Passwords must have at least these many digits.';
 $string['configminpasswordlength'] = 'Passwords must be at least these many characters long.';
 $string['configminpasswordlower'] = 'Passwords must have at least these many lower case letters.';
@@ -554,6 +555,7 @@ $string['mediapluginwmv'] = 'Enable .wmv filter';
 $string['memcachedhosts'] = 'memcached hosts';
 $string['memcachedpconn'] = 'memcached use persistent connections';
 $string['messaging'] = 'Enable messaging system';
+$string['maxconsecutiveidentchars'] = 'Consecutive identical characters';
 $string['minpasswordlength'] = 'Password Length';
 $string['minpassworddigits'] = 'Digits';
 $string['minpasswordlower'] = 'Lowercase letters';

diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php
index ad020d497bb8866485f910df3d492f36d7add5d0..558215d675ca6e339b720cd1a274a7316fd0a172 100644 (file)
--- a/lang/en_utf8/auth.php
+++ b/lang/en_utf8/auth.php
@@ -380,6 +380,7 @@ $string['changepasswordhelp'] = 'Here you can specify a location at which your u
 $string['chooseauthmethod'] = 'Choose an authentication method';
 $string['createpasswordifneeded'] = 'Create password if needed';
 $string['errorpasswordupdate'] = 'Error updating password, password not changed';
+$string['errormaxconsecutiveidentchars'] = 'Passwords must have at most $a consecutive identical characters.';
 $string['errorminpasswordlength'] = 'Passwords must be at least $a characters long.';
 $string['errorminpassworddigits'] = 'Passwords must have at least $a digit(s).';
 $string['errorminpasswordlower'] = 'Passwords must have at least $a lower case letter(s).';

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index d3f633fb23e8facc46aaf15512739f8451ef5b13..7942c66ea5392abb427b94ee10c2c65d09929e38 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -3414,6 +3414,9 @@ function check_password_policy($password, &$errmsg) {
     if (preg_match_all('/[^[:upper:][:lower:][:digit:]]/u', $password, $matches) < $CFG->minpasswordnonalphanum) {
         $errmsg .= '<div>'. get_string('errorminpasswordnonalphanum', 'auth', $CFG->minpasswordnonalphanum) .'</div>';
     }
+    if (!check_consecutive_identical_characters($password, $CFG->maxconsecutiveidentchars)) {
+        $errmsg .= '<div>'. get_string('errormaxconsecutiveidentchars', 'auth', $CFG->maxconsecutiveidentchars) .'</div>';
+    }
 
     if ($errmsg == '') {
         return true;
@@ -8397,5 +8400,40 @@ function get_site_identifier() {
     return $CFG->siteidentifier;
 }
 
+/**
+ * Check whether the given password has no more than the specified
+ * number of consecutive identical characters.
+ *
+ * @param string $password   password to be checked agains the password policy
+ * @param integer $maxchars  maximum number of consecutive identical characters
+ */
+function check_consecutive_identical_characters($password, $maxchars) {
+
+    if ($maxchars < 1) {
+        return true; // 0 is to disable this check
+    }
+    if (strlen($password) <= $maxchars) {
+        return true; // too short to fail this test
+    }
+
+    $previouschar = '';
+    $consecutivecount = 1;
+    foreach (str_split($password) as $char) {
+        if ($char != $previouschar) {
+            $consecutivecount = 1;
+        }
+        else {
+            $consecutivecount++;
+            if ($consecutivecount > $maxchars) {
+                return false; // check failed already
+            }
+        }
+
+        $previouschar = $char;
+    }
+
+    return true;
+}
+
 // vim:autoindent:expandtab:shiftwidth=4:tabstop=4:tw=140:
 ?>