Redirecting users to reset their password if current one doesn't meet strength requirements

Hi Ray, I want to force existing website users to reset their passwords if they don't meet the current updated strength criteria. I've duplicated the current login page to test this and have added a message to it which displays if the user inputs a password that doesn't meet the REGEXP criteria. It works fine, however it also displays that message if they input an incorrect password - it should only display if the password is correct AND too short. I can't see where I'm going wrong - can you help? Page is attached.

If the password fails the regex, then it doesn't check to see if the username and password is valid. You would probably need to add a recordset to the page and filter it with the "failed validations" values so you could check to see if it failed validation but would have found a record for login if it hadn't. If that recordset filtered by the failed validation username and password has a row in it, then you know they would have been logged in if the validation hadn't failed.

Not sure that will work though as I'm using SHA1 encryption and my understanding is that the system can't decrypt passwords, and since the encrypted value doesn't match the number of characters in the actual password, I can't match that either. Not to worry, I may just use the POST value - the chances are if a user inputs an incorrect password, it would probably be a similar length to the real password and they'd be told to update it anyway, which probably isn't a bad thing.

OK, but it could be done. SHA1 can't be decrypted, but it always encrypts the same, so you can compare the encrypted value in the database to the encrypted version of the submitted value to make sure they are the same in the database. However, your solution of just using the form element is probably better anyway for the reasons you stated.

Yes, I hadn't thought of that. I can use that method for something else I need to do though, as I also need to put in place a check to make sure that when users update their password, they use a different one so that would be the way to do it!

Hi Ray, I'm now working on what you suggested above so that I can compare a submitted password with values stored in the database, as I want to stop users from re-using any of the last 10 passwords they've set. I've set up a password history table which records all updated passwords, added a recordset to the page and limited it to 10 rows, then added server validation to check if the submitted password is NOT like any of the passwords in the recordset. It always fails validation though, so not sure if I've got the validation syntax correct. I'm also not sure if it will loop through the recordset? Would you mind taking a look at the page for me to see what I've done wrong?

A further thought - should I be using the Unique Database value validation instead? If I did that though, how would I limit it to only check the passwords for that particular user since there's always the chance that more than one person has used "Password1!" or similar!

Unique value validation isn't complex enough to cover your scenario, so you are doing the right thing by using a custom Recordset. I think you can use something like:

<?php

$rsPWHistory = new WA_MySQLi_RS("rsPWHistory",$Composite,10);

$rsPWHistory->setQuery("SELECT * FROM (SELECT * FROM pw_history WHERE pw_history.UserID = ? ORDER BY HistoryID DESC) AS Last10 WHERE Last10.user_pass = ?");

$rsPWHistory->bindParam("d", "".$_SESSION['SecurityAssist_ID']  ."", "-1"); //ParamID

$rsPWHistory->bindParam("d", "".(isset($_POST["User_Update_group_2_Password"])?WA_SHA1Encryption($_POST["User_Update_group_2_Password"]):"")  ."", "-1"); //ParamPass

$rsPWHistory->execute();

?>

Then your validation can just be number validation that the value of: $rsPWHistory->TotalRows is < 1

I updated the recordset and added number validation but it's giving me the following error:

Fatal error: Uncaught ArgumentCountError: Too few arguments to function WAValidateNM(), 3 passed in /var/www/vhosts/xxxxxxxx/httpdocs/my-account-details2.php on line 59 and exactly 7 expected in /var/www/vhosts/xxxxxxx/httpdocs/webassist/form_validations/wavt_scripts_php.php:443 Stack trace: #0 /var/www/vhosts/xxxxxxx/httpdocs/my-account-details2.php(59): WAValidateNM() #1 {main} thrown in /var/www/vhosts/xxxxxxx/httpdocs/webassist/form_validations/wavt_scripts_php.php on line 443

I've obviously done something wrong in the validation code. I've attached the updated page.

It should probably be something like:

$WAFV_Errors .= WAValidateNM(($rsPWHistory->TotalRows) . "",0,0,0,",.",false,11);

It works!!

Now the only small issue I'm having is that the error message which displays when validation fails for that condition (11) isn't clearing when the password has been successfully updated. Is it maybe because I have two separate forms on the page and I need to add something to clear errors in the second form?