langleyfoxall / laravel-nist-password-rules Goto Github PK

It is not possible to use other language dictionary word lists. I created a PR #52 to solve this.

When are you planning to release support for Laravel 9.x?

In my application I have an area where user's can update their password by providing:

• Their current password
• Their new password
• Their new password again

I have a method that looks like this:

/**
 * Change the password for the current logged in user
 *
 * @param  Request $request
 * @return void
 */
public function changePassword(UpdatePassword $request)
{
    $data = $request->validated();

    auth()->user()->update(['password' => $data['new-password']]);

    event(new PasswordChanged(auth()->user()));

    return redirect()->back()->with('success', 'Your password has been updated successfully');
}

This uses a Form Request called UpdatePassword.

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;
use LangleyFoxall\LaravelNISTPasswordRules\PasswordRules;

class UpdatePassword extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        return true;
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array
     */
    public function rules()
    {
        return [
            'current-password' => 'required|string',
            'new-password' => array_merge(
                [
                    'regex:/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{6,}$/',
                ],
                PasswordRules::changePassword($this->email, $this->current_password),
            ),
        ];
    }

    /**
     * Get the error messages for the defined validation rules.
     *
     * @return array
     */
    public function messages()
    {
        return [
            'current-password.required' => 'Please enter your current password',
            'new-password.regex' => 'The password provided does not match the minimum strength requirement',
            'new-password.different' => 'Please ensure your new password is different to your old password',
            'new-password.confirmed' => 'Please ensure your new passwords match',
        ];
    }
}

I've tried to simply pass in the email and pass, but they're not real properties.

Is there any way to do what I'm attempting in this way?

I'm trying to give my own custom messages to the validation rules but can't find how to setMessage for these ones:

laravel-nist-password-rules::validation.can-not-be-sequential-characters
laravel-nist-password-rules::validation.found-in-data-breach

i'm using form request for this purpose:

public function rules()
{
    return [
        'password' => array_merge(
            [
                new UnusedPassword((int) $this->segment(4)),
                (new BreachedPasswords())->setMessage(__('La contraseña ha sido expuesta en una violación de datos.')),
            ],
            PasswordRules::changePassword($this->email)
        ),
    ];
}

public function messages()
{
    return [
        'password.min' => __('La contraseña debe tener al menos 8 caracteres.'),
    ];
}

Custom message for BreachedPasswords() works but can't do the same for:

        new SequentialCharacters(),
        new RepetitiveCharacters(),

is this possible ?

Thanks

As php-coveralls is currently not supporting Guzzle 7.0, which is a requirement for Laravel 8.0, this package is not installable at the moment.
php-coveralls/php-coveralls#287

@ziming submitted pr #44 which includes several improvements we should consider for future releases:

• Allowing the use of Laravel 8's built in uncompromised password check where available
• Removal of EOL PHP versions (< 7.4)

At the time of our most recent update we did not want to merge this as it could break support for legacy apps, but I have created this issue for reference as these are good ideas which we may wish to include in the next major version.

Hi

while testing, managed to create a password of telephone134 - Should this be allowed? It's a single dictionary word or does the addition of non-sequential chars make that ok?

Thanks

According to NIST rules:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

Those rules prevent consecutively repeated characters due to misunderstanding another requirement in NIST Password Guidelines.

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

• Passwords obtained from previous breach corpuses.
• Dictionary words.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Context-specific words, such as the name of the service, the username, and derivatives thereof.

This is about what such a list of known bad passwords may contain. aaaaaa is obviously a bad password, but say, something like Bg(=SRjSxxxx5[=thpmm?God)X~$i_[:(t44m=kF('waq7H}k8\r<]2Q]~>\($9zD<[G4Y5a,/="L`?{E]Af(;`jsk,mPk}*/y)kuZ:7ps\k{NqAb:Fx[AWL"%G92$Gk I would argue isn't insecure, even if x happens to repeat four times.

Specifically, the intent of the rule is that it should be a finite list of known insecure passwords, not a rule intending to find bad passwords (that can find an infinite number of "insecure" passwords).

• DictionaryWords
• RepetitiveCharacters
• SequentialCharacters

rules are won't work on windows, PHP_EOL on Windows is not "\n" but "\r\n".

The passwords property has incorrect value, only has one item with the full content of txt, instead of one item per row.

I have 2 suggestion:

1. change explode to preg_split. preg_split('/\n|\r\n?/', file_get_contents(self::PASSWORDS_FILE))
2. or just hardcode the \n line end character. explode('\n', file_get_contents(self::PASSWORDS_FILE))

FatalErrorException in SequentialCharacters.php line 13:
Interface 'Illuminate\Contracts\Validation\Rule' not found

when calling

// Register
        $this->validate($request, [
            'email' => 'required',
            'password' => PasswordRules::register($request->email),
        ]);

on Laravel 5.4

Any suggestions?

As the title says, do you think it's a good idea to add a new rule that checks against the NIST guideline of

Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).

Source: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

We should attempt to implement login rate limiting as part of these validation rules, as described in NIST SP800-63b section 5.2.2.

the verifier SHALL implement controls to protect against online guessing attacks.
the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100.
Requiring the claimant to wait following a failed attempt for a period of time that increases as the account approaches its maximum allowance for consecutive failed attempts (e.g., 30 seconds up to an hour).

Source: https://pages.nist.gov/800-63-3/sp800-63b.html#throttle

It would also be useful to provide Artisan commands that will remove login bans / delays entirely or for specific users / IPs.

@DivineOmega thanks!

i have installed guzzlehttp/guzzle ~7.0, when trying to install this package i received that

Problem 1
- Installation request for langleyfoxall/laravel-nist-password-rules ^4.3 -> satisfiable by langleyfoxall/laravel-nist-password-rules[v4.3.0].
- Can only install one of: guzzlehttp/guzzle[7.0.1, 6.5.x-dev].
- Can only install one of: guzzlehttp/guzzle[6.5.x-dev, 7.0.1].
- Can only install one of: guzzlehttp/guzzle[6.5.x-dev, 7.0.1].
- Conclusion: install guzzlehttp/guzzle 6.5.x-dev
- Installation request for guzzlehttp/guzzle (locked at 7.0.1, required as ^7.0) -> satisfiable by guzzlehttp/guzzle[7.0.1].

is there away to upgrade please, thank you

When are you planning to release support for Laravel 10?

In testing (specifically using PasswordRules::optionallyChangePassword) I entered the password "CorrectHorseBatteryStaple"; the message reads:

The password and password confirmation must be different.

This is confusing for the user, as their password and password confirmation must match - Please consider changing this to something that better represents the actual error, such as "Your password cannot be based on dictionary words".

Blocking us to upgrade to Laravel 9, could you please kindly merge PR?

I would love to use the nist-password-rules part of this package in applications which are not built on laravel.

do you think it would be possible to devide this package into 2 parts.. one only containg of the nist-password-rules part and another one which bridges this nist-password-rules with laravel?