Define "Complexity" rules?
Hi
im trying to come up with something, which may or may not be possible, on defining a set of "rules" (defined by user) for a password complexity rule.
I want to make sure that when a user creates a password, that it will be passed through the user defined complexity rules and see if they validate.
how can one create such a complexity "engine" which is defined by the user?
Re: Define "Complexity" rules?
Generally these take the form of "Password must be at least X characters", "must contain at least Y letters", "must contain at least Z numeric characters", ...
It should be fairly easy to define a class representing such a rule in that form. You need a predicate function that returns whether a given character matches the rule and a minimum number of characters that must match the predicate for the password to be valid.
Re: Define "Complexity" rules?
agreed but i guess my question is difficult to put into words :)
sure, us developers know about this. but what if the user wanted to come up with a rule something like "the password must contain their name" - without having to redevelop to take this into consideration, there just wouldnt be a way would there for having such rules defined?
Re: Define "Complexity" rules?
For an arbitrary rule like that, it would be difficult. It would be possible, but by then you're defining a DSL for password rules, and you're almost asking the admins to become programmers in your new language. What sort of software is this for? If it's internally deployed (in-house or web-based), it would be simpler just to make a change to the code by programmers. If it's shrink-wrap or downloaded from the internet, that's not going to work, so you might look into allowing plug-ins, but since they have to operate on the password thus have access to the password data, that's something of a security hole. (And doing it on the server side might not fly if your authentication protocol is a good one that doesn't rely on the server ever receiving the password in clear)
[Edit: <tl;dr> summary: sux to be you. ;)]
Re: Define "Complexity" rules?
hehe. no it was just a question, its part of a spec for a client.
Re: Define "Complexity" rules?
Perhaps you could create a declarative(something like CSS) scripting language to define validation. However, its a complicated(or at least time consuming) solution.