NAME

Data::Transpose::PasswordPolicy - Perl extension to enforce password policy

SYNOPSIS

use Data::Transpose::PasswordPolicy;

my %credentials = (username => "marco",
                  password => "My.very.very.5strong.pzwd"
                 );

my $pv = Data::Transpose::PasswordPolicy->new(\%credentials)

if (my $password = $pv->is_valid) {
  print "$password is OK";
}
else {
  die $pv->error
}

DESCRIPTION

This module enforces the password policy, doing a number of checking. The author reccomends to use passphrases instead of password, using some special character (like punctuation) as separator, with 4-5 words in mixed case and with numbers as a good measure.

You can add the policy to the constructor, where minlength is the minimum password length, maxlength is the maximum password and mindiffchars is the minimum number of different characters in the password. Read below for patternlength

By default all checkings are enabled. If you want to configure the policy, pass an hashref assigning to the disabled checking a true value. This will leave only the length checks in place, which you can tweak with the accessors. For example:

my %validate = ( username => "marco",
                 password => "ciao",
                 minlength => 10,
                 maxlength => 50,
                 patternlength => 4,
                 mindiffchars => 5,
                 disabled => {
                               digits => 1,
                               mixed => 1,
                             }
my $pv = Data::Transpose::PasswordPolicy->new(\%validate)
$pv->is_valid ? "OK" : "not OK";

See below for the list of the available checkings.

Please note: the purpose of this module is not to try to crack the password provided, but to set a policy for the passwords, which should have some minimum standards, and could be used on web services to stop users to set trivial password (without keeping the server busy for seconds while we check it). Nothing more.

METHODS

new(%credentials)

Create a new Data::Transpose::PasswordPolicy object using the credentials provided to the constructor.

ACCESSORS

$obj->password($newpassword)

Set and return the new password. If no argument is provided, returns the current. It will strip leading and trailing spaces.

$obj->username($username)

Set and return the new username. If no argument is provided, returns the current. It will strip leading and trailing spaces.

$obj->password_length

It returns the length of the password;

$obj->minlength

Returns the minimum length required. If a numeric argument is provided, set that limit. Defaults to 255;

$obj->maxlength

As above, but for the maximum. Defaults to 12;

$obj->mindiffchars

As above, but set the minimum of different characters (to avoid things like 00000000000000000ciao00000000000.

Defaults to 6;

$obj->patternlength

As above, but set the length of the common patterns we will search in the password, like "abcd", or "1234", or "asdf". By default it's 3, so a password which merely contains "abc" will be discarded.

This option can also be set in the constructor.

Internal algorithms

All the following methods operate on $obj->password and return the message of the error if something if not OK, while returning false if nothing suspicious was found.

password_length_ok

Check if the password is in the range of permitted lengths. Return undef if the validation passes, otherwise the arrayref with the error code and the error string.

password_has_username

Check if the password contains the username, even if obfuscated.

Disable keyword: username

password_has_common_password

Check if the password contains, even obfuscated, common password like "password" et similia.

Disable keyword: common

password_has_enough_different_char

Check if the password has enough different characters.

Disable keyword: varchars

password_has_mixed_chars

Check if the password has mixed cases

Disable keyword: mixed

password_has_specials

Check if the password has non-word characters

Disable keyword: specials

password_has_digits

Check if the password has digits

Disable keyword: digits

password_has_letters

Check if the password has letters

Disable keyword: letters

password_has_patterns

Check if the password contains usual patterns like 12345, abcd, or asdf (like in the qwerty keyboard).

Disable keyword: patterns

Main methods

$obj->is_valid

Return the password if matches the policy or a false value if not.

For convenience, this method can accept the password to validate as argument, which will overwrite the one provided with the password method (if it was set).

$obj->error

With argument, set the error. Without, return the errors found in the password.

In list context, we pass the array with the error codes and the strings. In scalar context, we return the concatenated error strings.

Inherited from Data::Transpose::Validator::Base;

error_codes

Return a list of the error codes found in the password. The error codes match the options. (e.g. mixed, patterns).

If you want the verbose string, you need the error method.

$obj->reset_errors

Clear the object from previous errors, in case you want to reuse it.

$obj->disable("mixed", "letters", "digits", [...])

Disable the checking(s) passed as list of strings.

$obj->enable("mixed", "letters", [...])

Same as above, but enable the checking

$obj->is_disabled("checking")

Return true if the checking is disable.

EXPORT

None by default.

SEE ALSO

http://xkcd.com/936/

AUTHOR

Marco Pessotto, <melmothx@gmail.com>

COPYRIGHT AND LICENSE

Copyright (C) 2013-2016 by Marco Pessotto

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.16.2 or, at your option, any later version of Perl 5 you may have available.