Nov 19, 2009

Make a Password Strength Meter in WhizBase

Today the Internet is everywhere, we use it in everything, it is the buzz word of our time. When it first began it was just an experiment, a network for exchanging some data between universities, no one used it for exchanging private data.



Today it is 90% social powered network, everyone have a profile on some social website, a lot of people have money accounts on the net, some others have galleries and private data. So now we have to take care about security, how to secure our data, we need a good password, most people use «trustno1» or «000000» or their birth dates. That is not a good password, any cracking engine can guess that one.



Making a good password

A good password must have numbers, alphabetic characters (upper and lower case), other characters, they must be in a random order and must not mean anything. So do not use English words with meaning or some number combinations of something in your life.



A good example for a good password is ubXr-z9)7mn: we have upper and lower case letters, we have numbers and we have other characters. This password is nearly impossible to guess.



We will show you how to make password strength meter in WhizBase. The concept is easy, the user enters the password, we check it if it has all the 4 elements in it and give strength value back.



So let us start.



Give me your password

We will make a simple HTML form where we will ask the user to insert a username and a password. It is the standard form you can find everywhere on the net. Let us name it «index.htm»



<html>

<head><title>WhizBase Password Strength Meter</title></head>

<body>

<form action="'chpwd.wbsp'" method="'post'">

Username : <input type="'text'" name="'username'" value="''"><br />

Password : <input type="'password'" name="'pwd'" value="''"><br />

<input type="'submit'" value="'check">

</form>

</body>

</html>

Some notes about this code, we always use POST method in the form to hide our password when sending it through the web, we need the username to check if the password contains the username in it. We will create the file «chpwd.wbsp» which will make the checking for us.



Mambo Jumbo stuff of the code

Before we start we need to write down what we want to check and how we mark the password strength. I will make a list of things we need to check and every point have 1 point mark. So if the password passes 3 out of 6 it will have 50% strength.




  1. The length of the password must be at least 8 characters

  2. The password must not contain the username in it

  3. The password must contain numbers

  4. The password must contain special characters

  5. The password must contain lower case letters

  6. The password must contain upper case letters



Now lets begin with the code, save it in 'chpwd.wbsp':




$wbsetv[strength|0]

$wbif[$wblen[$wbv[pwd]]>7|$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]|]


$wbif[$WBCSTR[$wbv[pwd]|$wbv[username]|T]>0||$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]]


$wbsetv[avail|F]

$WBSPLIT[0,1,2,3,4,5,6,7,8,9|numbers|,]


$wbsetv[count|0]


$wbwhile[$wbgetv[count]<=$wbalen[numbers]|$wbif[$WBCSTR[$wbv[pwd]|$wbgetv[numbers($wbgetv[count])]|T]>0|$wbsetv[avail|T]|]$wbsetv[count|$wbcalc[$wbgetv[count]+1]]]


$wbif[$wbgetv[avail]="T"|$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]|]


$wbsetv[avail|F]

$WBSPLIT[!,#,$,%,&amp;,/,(,),=,?,*,@,;,:,-,_|schars|,]


$wbsetv[count|0]


$wbwhile[$wbgetv[count]<=$wbalen[schars]|$wbif[$WBCSTR[$wbv[pwd]|$wbgetv[schars($wbgetv[count])]|T]>0|$wbsetv[avail|T]|]$wbsetv[count|$wbcalc[$wbgetv[count]+1]]]


$wbif[$wbgetv[avail]="T"|$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]|]


$wbsetv[avail|F]

$WBSPLIT[q,w,e,r,t,z,u,i,o,p,a,s,d,f,g,h,j,k,l,y,x,c,v,b,n,m|scase|,]


$wbsetv[count|0]


$wbwhile[$wbgetv[count]<=$wbalen[scase]|$wbif[$WBCSTR[$wbv[pwd]|$wbgetv[scase($wbgetv[count])]|T]>0|$wbsetv[avail|T]|]$wbsetv[count|$wbcalc[$wbgetv[count]+1]]]


$wbif[$wbgetv[avail]="T"|$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]|]


$wbsetv[avail|F]

$WBSPLIT[Q,W,E,R,T,Z,U,I,O,P,A,S,D,F,G,H,J,K,L,Y,X,C,V,B,N,M|ucase|,]


$wbsetv[count|0]


$wbwhile[$wbgetv[count]<=$wbalen[ucase]|$wbif[$WBCSTR[$wbv[pwd]|$wbgetv[ucase($wbgetv[count])]|T]>0|$wbsetv[avail|T]|]$wbsetv[count|$wbcalc[$wbgetv[count]+1]]]


$wbif[$wbgetv[avail]="T"|$wbsetv[strength|$wbcalc[$wbgetv[strength]+1]]|]

Your password's strength is $wbcalc[$wbcalc[$wbgetv[strength]/6]*100]% $wbgetv[strength]




Let us speak English

Now let me explain what we have done. First we have created a variable which will contain the strength value, starting with zero because we assume the password is not good and then check every point and give a mark for success. We've done that with $wbsetv[strength|0] which means «WhizBase set a variable named strength with value 0».



Now we start with checking, first we check if the password length is more than 7 characters.





$wbif[

$wblen[$wbv[pwd]]>7

|

|

$wbsetv[strength|

$wbcalc[$wbgetv[strength]+1]

]

]


We say «If the length of 'pwd' variable greater is than 7 then add 1 point to the variable strength. Else do nothing.



Now we want to check if the password contains the username in it.
Again we use $WBIF «If number of occurences of the username variable in the pwd variable is greater than 0, then do nothing» (do not add a point), because there is at least one occurence and there should be none, «else add one point to the variable strength» because there is no user name in pwd.



Now we will make our script a little bit more complex, since we need to check if there are number characters in the password. To do so, we will define the numbers array and loop through the elements and check if any of them exists in the password string.




$wbsetv[avail|F]

$WBSPLIT[0,1,2,3,4,5,6,7,8,9|numbers|,]


$wbsetv[count|0]


$wbwhile[$wbgetv[count]<=$wbalen[numbers] | $wbif[$WBCSTR[$wbv[pwd]|$wbgetv[numbers($wbgetv[count])]|T]>0 |$wbsetv[avail |T]|]

$wbsetv[count|$wbcalc[$wbgetv[count]+1]]

]


$wbif[

$wbgetv[avail] = 'T'

|

$wbsetv[strength|

$wbcalc[$wbgetv[strength]+1]

]

|

]




At the beginning we suppose that there are no numbers, and give a value F as False for variable avail. Using wbsplit with the string «0,1,2,3,4,5,6,7,8,9» we make an array named numbers with the separator «,». This is a very cool way to create arrays in WhizBase. There are another ways but I prefer this one.



Now to loop through the array, we will need a counter so we will create a variable «count» with initial value of 0.



We will loop through the array while the condition (counter value <= length of the array) is true. In the loop we check with wbif function if there is an occurrence of the array element's value in the password string. If we find at least one we will set the variable avail as True «T». And off course we do not want our loop to go infinite, so we increase the value of the counter variable. After the loop is ended we check if our «avail» variable is True, which means that our password string has numbers in it, and add one point to «strength» variable (if true), else we do nothing. Now we repeat the same thing for special characters, lower case letters and upper case letters. I will not go through that code because it is the same as this one. Finally we will calculate the percentage of the strength, which is simple mathematical equation:






$wbcalc[$wbcalc[$wbgetv[strength]/6]*100]


We calculate the result of the strength points divided by maximum points (in our case it is 6), and then we multiply the result with 100 to get a percentage result.



And here we have a script that will tell us how powerful is our password.



For more information email me at: NurAzije [at] Gmail [dot] com
Or visit WhizBase official site at www.whizbase.com