I asked a friend who is in IT at Dorset Council and he said he’d asked
around but they didn’t know what password reset form this was.
A spot of forensics in the code you posted suggest it is written by a
third party: https://www.placecube.com/ (from
`com_placecube_digitalplace_user_account_CreateAccountPortlet`) - and
they do indeed list Dorset Council as one of their clients.
Sounds like bad code to me, especially with Ralph’s analysis!
On 5 Nov 2024, at 13:27, Ralph Corderoy wrote:
Hi Terry,
Neither ‘Caesar Augustus Rocks’, or ‘Theresa May Sucks’ are
accepted
despite being ‘valid dictionary words’.
OK. I can see that Proper nouns may not be acceptable
Oh, they're fine as line 2 ignores case.
but which lines reject the words Rocks, May or Sucks?
Line 34.
Are there separate lines to cover Caesar, Augustus or Theresa?
Line 35.
2. Create a new password, avoiding the words that the regex is
currently rejecting.
The regexp is a blacklist of what sequences of characters mustn't
occur
anywhere in the password. It doesn't make use of word boundaries,
which
could be considered another bug.
(Degree in Computer Science needed here.)
No, just an understanding of regular languages; level 3, the lowest,
in
Chomsky's hierarchy of grammars. Natural languages, like English, are
the highest, level 0, and you understand those. Most computer
languages
are level 2. Or an understanding of finite automata.
https://en.wikipedia.org/wiki/Chomsky_hierarchy
Strictly speaking, regexps have broken free of regular languages with
some modern features, but the underlying understanding of them can
stick
to regular languages. I really should write a ‘man down the pub’s
guide
to regular expressions for the Internet.
As Stephen suggested, I'm not sure if his email reached the list,
use something like https://regex101.com, paste the original regexp,
select flavour ‘Java 8’, and experiment with passwords.
'Cyberattacks rely on human error and weak passwords. The length of
a password makes it stronger. Using a variety of characters is not
so important. Using a long password, also called a passphrase, is
more secure than passwords even if they use no special characters at
all. An example is “orangemonkeyjumps”.'
Clearly they are not rejecting concatenated words that omit spaces,
The regexp knows not of words, and doesn't blacklist spaces.
and they do not reject the use of numbers or chars like '!'.
Correct.
So most people would give up and use something simple like
'mypassword'.
That should work except this regexp is probably augmented by other
checks like a minimum length.
‘correct horse battery staple’. https://xkcd.com/936/
--
Cheers, Ralph.
--
Next meeting: Online, Jitsi, Tuesday, 2024-11-12 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... https://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
--
Next meeting: Online, Jitsi, Tuesday, 2024-11-12 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... https://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
