Modernizes password strength checks by using zxcvbn

Signed-off-by: Jon Stovell <jonstovell@gmail.com>

Author: Sesquipedalian

.php-cs-fixer.dist.php

@@ -21,6 +21,7 @@
 		'Sources/minify',
 		'Sources/random_compat',
 		'Sources/ReCaptcha',
+		'Sources/ZxcvbnPhp',
 		'Themes',
 	])
 	// Skip all index.php files and ssi_example.php.

Languages/en_US/Errors.php

@@ -373,12 +373,41 @@
 $txt['profile_error_bad_avatar_url_too_long'] = 'The avatar URL you specified is too long, please use a shorter URL.';
 $txt['profile_error_bad_avatar_too_large'] = 'The image you are trying to use surpasses the max width/height settings, please use a smaller one.';
 $txt['profile_error_bad_avatar_fail_reencode'] = 'The image you uploaded was corrupted and the attempt to recover it failed.';
+
 $txt['profile_error_password_short'] = 'Your password must be {0, plural,
 	one {at least # character long}
 	other {at least # characters long}
 }.';
-$txt['profile_error_password_restricted_words'] = 'Your password must not contain your username, email address or other commonly used words.';
-$txt['profile_error_password_chars'] = 'Your password must contain a mix of upper and lower case letters, as well as digits.';
+$txt['profile_error_password_restricted_words'] = 'Your password must not contain your username, email address, or other commonly used words.';
+$txt['profile_error_password_weak'] = 'This password is too weak.';
+$txt['profile_error_password_top_10'] = 'This is a top-10 common password.';
+$txt['profile_error_password_top_100'] = 'This is a top-100 common password.';
+$txt['profile_error_password_very_common'] = 'This is a very common password.';
+$txt['profile_error_password_similar_to_common'] = 'This is similar to a commonly used password.';
+$txt['profile_error_password_single_word'] = 'A word by itself is easy to guess.';
+$txt['profile_error_password_use_a_few_words'] = 'Use a few words, avoid common phrases.';
+$txt['profile_error_password_simple_is_fine'] = 'No need for symbols, digits, or uppercase letters.';
+$txt['profile_error_password_add_more_words'] = 'Add another word or two. Uncommon words are better.';
+$txt['profile_error_password_recent_years'] = 'Recent years are easy to guess.';
+$txt['profile_error_password_avoid_recent_years'] = 'Avoid recent years.';
+$txt['profile_error_password_avoid_personal_years'] = 'Avoid years that are associated with you.';
+$txt['profile_error_password_dates_are_easy'] = 'Dates are often easy to guess.';
+$txt['profile_error_password_avoid_personal_dates_and_years'] = 'Avoid dates and years that are associated with you.';
+$txt['profile_error_password_straight_rows'] = 'Straight rows of keys are easy to guess.';
+$txt['profile_error_password_short_patterns'] = 'Short keyboard patterns are easy to guess.';
+$txt['profile_error_password_use_longer_pattern'] = 'Use a longer keyboard pattern with more turns.';
+$txt['profile_error_password_sequences'] = 'Sequences like “abc” or “6543” are easy to guess.';
+$txt['profile_error_password_avoid_sequences'] = 'Avoid sequences.';
+$txt['profile_error_password_reversed_words'] = 'Reversed words aren’t much harder to guess.';
+$txt['profile_error_password_repeated_chars'] = 'Repeats like “aaa” are easy to guess.';
+$txt['profile_error_password_repeated_strings'] = 'Repeats like “abcabcabc” are only slightly harder to guess than “abc”.';
+$txt['profile_error_password_avoid_repeated'] = 'Avoid repeated words and characters.';
+$txt['profile_error_password_l33t_useless'] = 'Predictable substitutions like “@” instead of “a” don’t help very much.';
+$txt['profile_error_password_names'] = 'Names and surnames by themselves are easy to guess.';
+$txt['profile_error_password_common_names'] = 'Common names and surnames are easy to guess.';
+$txt['profile_error_password_caps_useless'] = 'Capitalization doesn’t help very much.';
+$txt['profile_error_password_all_caps_useless'] = 'All uppercase is almost as easy to guess as all lowercase.';
+
 $txt['profile_error_already_requested_group'] = 'You already have an outstanding request for this group!';
 $txt['profile_error_signature_not_yet_saved'] = 'The signature has not been saved.';
 $txt['profile_error_personal_text_too_long'] = 'The personal text is too long.';

Languages/en_US/Help.php

@@ -466,12 +466,13 @@
 $helptxt['approveAccountDeletion'] = 'When this setting is checked, any user request to delete his own account has to be approved by an administrator';
 
 $helptxt['send_welcomeEmail'] = 'When this setting is enabled all new members will be sent an email welcoming them to your community';
-$helptxt['password_strength'] = 'This setting determines the strength required for passwords selected by your forum users. The stronger the password, the harder it should be to compromise member’s accounts.
-	Its possible settings are:
+$helptxt['password_strength'] = 'This setting determines the strength required for passwords selected by your forum users. The stronger the password, the harder it should be to compromise member’s accounts. Passwords are evaluated using the <a href="https://github.com/bjeavons/zxcvbn-php" class="bbc_link" target="_blank" rel="noopener">zxcvbn library</a> and checked for other requirements.
+	<br><br>
+	Possible values are:
 	<ul class="normallist">
-		<li><strong>Low:</strong> The password must be at least four characters long.</li>
-		<li><strong>Medium:</strong> The password must be at least eight characters long, and cannot be part of a user’s name or email address.</li>
-		<li><strong>High:</strong> As for medium, except the password must also contain a mixture of upper and lower case letters, and at least one number.</li>
+		<li><strong>Low:</strong> The password must be at least six characters long, it must not contain the user’s name or email address, and it must earn a zxcvbn score of at least 2.</li>
+		<li><strong>Medium:</strong> As for low, except the password must be at least eight characters long and it must earn a zxcvbn score of at least 3.</li>
+		<li><strong>High:</strong> As for medium, except it must earn a zxcvbn score of 4.</li>
 	</ul>';
 $helptxt['enable_password_conversion'] = 'By enabling this setting, SMF will attempt to detect passwords stored in other formats and convert them to the format SMF uses. Typically this is used for forums converted to SMF, but may have other uses as well. Disabling this prevents a user from logging in using their password after a conversion and they would need to reset their password.';
 

Languages/en_US/ManageSettings.php

@@ -168,9 +168,9 @@
 $txt['loadavg_disabled_conf'] = 'Load balancing support is disabled by your host configuration.';
 
 $txt['setting_password_strength'] = 'Required strength for user passwords';
-$txt['setting_password_strength_low'] = 'Low - 4 character minimum';
-$txt['setting_password_strength_medium'] = 'Medium - cannot contain username';
-$txt['setting_password_strength_high'] = 'High - mixture of different characters';
+$txt['setting_password_strength_low'] = 'Low';
+$txt['setting_password_strength_medium'] = 'Medium';
+$txt['setting_password_strength_high'] = 'High';
 $txt['setting_enable_password_conversion'] = 'Allow password hash conversion';
 
 $txt['antispam_Settings'] = 'Anti-Spam Verification';

Languages/en_US/Profile.php

@@ -47,7 +47,7 @@
 $txt['dob_month'] = 'Month (MM)';
 $txt['dob_day'] = 'Day (DD)';
 $txt['dob_year'] = 'Year (YYYY)';
-$txt['password_strength'] = 'For best security, you should use eight or more characters with a combination of letters, numbers, and symbols.';
+$txt['password_strength'] = 'For best security, you should use eight or more characters. It is a good idea to use a phrase with multiple words.';
 $txt['include_website_url'] = 'This must be included if you specify a URL below.';
 $txt['complete_url'] = 'This must be a complete URL.';
 $txt['sig_info'] = 'Signatures are displayed at the bottom of each post or personal message. BBCode and smileys may be used in your signature.';

Sources/Actions/Register2.php

@@ -518,10 +518,16 @@ public static function registerMember(array &$reg_options, bool $return_errors =
 
 			// Password isn't legal?
 			if ($password_error != null) {
-				$error_code = ['lang', 'profile_error_password_' . $password_error, false];
+				Lang::load('Errors');
+
+				if (isset(Lang::$txt['profile_error_password_' . $password_error])) {
+					$error_code = ['lang', 'profile_error_password_' . $password_error, false];
+				} else {
+					$error_code = ['done', $password_error, false];
+				}
 
 				if ($password_error == 'short') {
-					$error_code[] = [empty(Config::$modSettings['password_strength']) ? 4 : 8];
+					$error_code[] = Security::minimumPasswordLength();
 				}
 
 				$reg_errors[] = $error_code;

Sources/Actions/Reminder.php

@@ -242,14 +242,16 @@ public function setPassword2(): void
 		$this->loadMember();
 
 		// Is the password actually valid?
-		$passwordError = Security::validatePassword($_POST['passwrd1'], $this->member->username, [$this->member->email]);
+		$password_error = Security::validatePassword($_POST['passwrd1'], $this->member->username, [$this->member->email]);
 
 		// What - it's not?
-		if ($passwordError != null) {
-			if ($passwordError == 'short') {
-				ErrorHandler::fatalLang('profile_error_password_' . $passwordError, false, [empty(Config::$modSettings['password_strength']) ? 4 : 8]);
+		if ($password_error != null) {
+			if ($password_error == 'short') {
+				ErrorHandler::fatalLang('profile_error_password_short', false, [Security::minimumPasswordLength()]);
 			} else {
-				ErrorHandler::fatalLang('profile_error_password_' . $passwordError, false);
+				Lang::load('Errors');
+
+				ErrorHandler::fatalLang((isset(Lang::$txt['profile_error_password_' . $password_error]) ? 'profile_error_password_' : '') . $password_error, false);
 			}
 		}
 
@@ -380,14 +382,16 @@ public function secretAnswer2(): void
 		}
 
 		// Make sure they have a strong enough password.
-		$passwordError = Security::validatePassword($_POST['passwrd1'], $this->member->username, [$this->member->email]);
+		$password_error = Security::validatePassword($_POST['passwrd1'], $this->member->username, [$this->member->email]);
 
 		// Invalid?
-		if ($passwordError != null) {
-			if ($passwordError == 'short') {
-				ErrorHandler::fatalLang('profile_error_password_' . $passwordError, false, [empty(Config::$modSettings['password_strength']) ? 4 : 8]);
+		if ($password_error != null) {
+			if ($password_error == 'short') {
+				ErrorHandler::fatalLang('profile_error_password_' . $password_error, false, [Security::minimumPasswordLength()]);
 			} else {
-				ErrorHandler::fatalLang('profile_error_password_' . $passwordError, false);
+				Lang::load('Errors');
+
+				ErrorHandler::fatalLang((isset(Lang::$txt['profile_error_password_' . $password_error]) ? 'profile_error_password_' : '') . $password_error, false);
 			}
 		}
 

Sources/Autoloader.php

@@ -28,6 +28,7 @@
 		'ReCaptcha\\' => 'ReCaptcha/',
 		'MatthiasMullie\\Minify\\' => 'minify/src/',
 		'MatthiasMullie\\PathConverter\\' => 'minify/path-converter/src/',
+		'ZxcvbnPhp\\' => 'ZxcvbnPhp/',
 
 		// In general, the SMF namespace maps to $sourcedir.
 		'SMF\\' => '',

Sources/Profile.php

@@ -605,11 +605,13 @@ public function loadStandardFields(bool $force_reload = false)
 					}
 
 					// Let's get the validation function into play...
-					$passwordErrors = Security::validatePassword(Utils::htmlspecialcharsDecode($value), $this->username, [$this->name, User::$me->username, User::$me->name, User::$me->email]);
+					$password_error = Security::validatePassword(Utils::htmlspecialcharsDecode($value), $this->username, [$this->name, User::$me->username, User::$me->name, User::$me->email]);
 
 					// Were there errors?
-					if ($passwordErrors != null) {
-						return 'password_' . $passwordErrors;
+					if ($password_error != null) {
+						Lang::load('Errors');
+
+						return (isset(Lang::$txt['profile_error_password_' . $password_error]) ? 'password_' : '') . $password_error;
 					}
 
 					// Set up the new password variable... ready for storage.

Sources/Security.php

@@ -17,6 +17,7 @@
 
 use SMF\Cache\CacheApi;
 use SMF\Db\DatabaseApi as Db;
+use ZxcvbnPhp\Zxcvbn;
 
 /**
  * A collection of miscellaneous methods related to forum security.
@@ -98,6 +99,16 @@ public static function generateValidationCode(): string
 		return bin2hex(random_bytes(5));
 	}
 
+	/**
+	 * Gets the minimum required password length.
+	 *
+	 * @return int The minimum required password length.
+	 */
+	public static function minimumPasswordLength(): int
+	{
+		return empty(Config::$modSettings['password_strength']) ? 6 : 8;
+	}
+
 	/**
 	 * Checks whether a password meets the current forum rules.
 	 *
@@ -117,7 +128,7 @@ public static function generateValidationCode(): string
 	public static function validatePassword(string $password, string $username, array $restrict_in = []): ?string
 	{
 		// Perform basic requirements first.
-		if (Utils::entityStrlen($password) < (empty(Config::$modSettings['password_strength']) ? 4 : 8)) {
+		if (Utils::entityStrlen($password) < self::minimumPasswordLength()) {
 			return 'short';
 		}
 
@@ -130,37 +141,79 @@ public static function validatePassword(string $password, string $username, arra
 			return $pass_error;
 		}
 
-		// Is this enough?
-		if (empty(Config::$modSettings['password_strength'])) {
-			return null;
-		}
-
-		// Otherwise, perform the medium strength test - checking if password appears in the restricted string.
-		if (preg_match('~\b' . preg_quote($password, '~') . '\b~', implode(' ', $restrict_in))) {
+		if (
+			// Check if password appears in the restricted strings.
+			preg_match('~\b' . preg_quote($password, '~') . '\b~u', implode(' ', $restrict_in))
+			// Check if password appears in the username.
+			|| preg_match('~\b' . preg_quote($password, '~') . '\b~iu', $username)
+			// Check if username appears in the password.
+			|| preg_match('~\b' . preg_quote($username, '~') . '\b~iu', $password)
+		) {
 			return 'restricted_words';
 		}
 
-		if (Utils::entityStrpos($password, $username) !== false) {
-			return 'restricted_words';
-		}
+		// Use zxcvbn to assess the password's strength.
+		$zxcvbn = new Zxcvbn();
+		$strength = $zxcvbn->passwordStrength($password, array_merge([$username], $restrict_in));
 
-		// If just medium, we're done.
-		if (Config::$modSettings['password_strength'] == 1) {
-			return null;
-		}
+		if ((int) $strength['score'] < (Config::$modSettings['password_strength'] ?? 0) + 2) {
+			Lang::load('Errors');
 
-		// Check for both numbers and letters.
-		$good = preg_match('~\p{N}~u', $password) && preg_match('~\p{L}~u', $password);
+			// List of known feedback strings from zxcvbn mapped to Lang::$txt keys.
+			$feedback_strings = [
+				'This is a top-10 common password' => 'top_10',
+				'This is a top-100 common password' => 'top_100',
+				'This is a very common password' => 'very_common',
+				'This is similar to a commonly used password' => 'similar_to_common',
+				'A word by itself is easy to guess' => 'single_word',
+				'Use a few words, avoid common phrases' => 'use_a_few_words',
+				'No need for symbols, digits, or uppercase letters' => 'simple_is_fine',
+				'Add another word or two. Uncommon words are better.' => 'add_more_words',
+				'Recent years are easy to guess' => 'recent_years',
+				'Avoid recent years' => 'avoid_recent_years',
+				'Avoid years that are associated with you' => 'avoid_personal_years',
+				'Dates are often easy to guess' => 'dates_are_easy',
+				'Avoid dates and years that are associated with you' => 'avoid_personal_dates_and_years',
+				'Straight rows of keys are easy to guess' => 'straight_rows',
+				'Short keyboard patterns are easy to guess' => 'short_patterns',
+				'Use a longer keyboard pattern with more turns' => 'use_longer_pattern',
+				'Sequences like abc or 6543 are easy to guess' => 'sequences',
+				'Avoid sequences' => 'avoid_sequences',
+				'Reversed words aren\'t much harder to guess' => 'reversed_words',
+				'Repeats like "aaa" are easy to guess' => 'repeated_chars',
+				'Repeats like "abcabcabc" are only slightly harder to guess than "abc"' => 'repeated_strings',
+				'Avoid repeated words and characters' => 'avoid_repeated',
+				'Predictable substitutions like \'@\' instead of \'a\' don\'t help very much' => 'l33t_useless',
+				'Names and surnames by themselves are easy to guess' => 'names',
+				'Common names and surnames are easy to guess' => 'common_names',
+				'Capitalization doesn\'t help very much' => 'caps_useless',
+				'All-uppercase is almost as easy to guess as all-lowercase' => 'all_caps_useless',
+			];
+
+			$feedback = [];
+
+			if (isset($strength['feedback']['warning'], $feedback_strings[$strength['feedback']['warning']])) {
+				$feedback[] = Lang::getTxt('profile_error_password_' . $feedback_strings[$strength['feedback']['warning']]);
+			}
 
-		// If there are any letters from bicameral scripts (Latin, Greek, etc.),
-		// check that there are both lowercase and uppercase letters present.
-		// Note: If the password only contains letters from a unicameral script
-		// (Arabic, Thai, etc.), this requirement is not applicable.
-		if (Utils::strtoupper($password) !== ($lower_password = Utils::strtolower($password))) {
-			$good &= $password !== $lower_password;
+			if (!empty($strength['feedback']['suggestions'])) {
+				foreach ($strength['feedback']['suggestions'] as $suggestion) {
+					if (isset($feedback_strings[$suggestion])) {
+						$feedback[] = Lang::getTxt('profile_error_password_' . $feedback_strings[$suggestion]);
+					}
+				}
+			}
+
+			if (!empty($feedback)) {
+				return implode('<br>', $feedback);
+			}
+
+			// Generic error message.
+			return 'weak';
 		}
 
-		return $good ? null : 'chars';
+		// If we get here, the password is strong enough.
+		return null;
 	}
 
 	/**