Subjecting Password fields to strength validation

Joshua Kessler

We have an admin form that allows our BPM users to change their password.  Currently the admin form accepts the new password as plain text (not as a password field) and then sends it to a PL/SQL function to perform strength validation (min # of chars, etc).

 

I have been requested by management to mask the input on the form, however this has caused problems with validation.  I can no longer validate the strength of the password because a password field hashes the input and stores the hash in the local variable.

 

I thought about putting a regular expression on the field, but that option isn't available for password fields.

 

Does anyone have any experience with this?  Is there any way to perform a strength validation on the password fields?  If not is there any way to hide what is being input in the text field without also hashing it?

 

Any other ideas?

 

Thanks!

 

Josh

Paul_York

Josh,

 

One option is to validate the strength on the client side or use a client side function to read the plain text version and copy this to a hidden field so you can validate the strength server side.  From memory I think the password fields contents are only hashed as it goes back to the sever...

 

Cheers,

 

Paul.

Joshua Kessler

Yup, I already tried that.  In JScript, eWorkGetField returns the hashed value.

Paul_York

That's odd - what version are you using?

We're running 7.6.3 at a customer site where we do exactly what I described using the client side eworkGetField to validate the password strength and it works perfectly - we are using it through SWIFT which is 3rd party layer though so this may be the difference?

 

Cheers,

 

Paul.

Joshua Kessler

This particular admin form is running v7.6 in a side by side environment with v9.1.2.  No add-ons like Swift.

Nils Wyldbore

V9 no longer makes available to you the unencrypted value using eworkgetfield.

 

I've had to do the same thing by populating a hidden textbox with the unencrypted password client side:

 

document.getElementById("hiddenPassword_Editor").value = document.getElementById("visiblePassword_Editor").value;

 

On the server side, I use the unencrypted value to check strength and then MD5 encrypt it, compare it to the encrypted password and enter that into the database.

Joshua Kessler

Thanks much! I'm up and running now.

 

I'm actually using the encrypted value provided by Metastorm and passing both plain and encrypted versions to a PL/SQL to do strength and repetition check.