Extended password quality checks

app.py

@@ -35,8 +35,8 @@ def error(msg):
     if form('new-password') != form('confirm-password'):
         return error("Password doesn't match the confirmation!")
 
-    if len(form('new-password')) < 8:
-        return error("Password must be at least 8 characters long!")
+    if not password_is_strong(form('new-password')):
+        return error("Password did not pass quality checks!")
 
     try:
         change_passwords(form('username'), form('old-password'), form('new-password'))
@@ -144,6 +144,45 @@ def read_config():
     return config
 
 
+# this returns True if password is strong (based on a set of quality checks)
+def password_is_strong(password):
+    if 'password_quality' in CONF.keys():
+        conf = CONF['password_quality']
+    else:
+        LOG.warning("Password quality checker is disabled.")
+        return True
+    # password length check
+    if len(password) < conf.getint('min_length', 8):
+        LOG.debug("Password is weak because it is too short.")
+        return False
+    # number of password complexity checks
+    if conf.getboolean('mixed_case_required', False):
+        if password.islower() or password.isupper() or password.isdigit():
+            LOG.debug("Password is weak because it is not mixed case.")
+            return False
+    if conf.getboolean('digit_required', False):
+        if not any([digit in password for digit in '0123456789']):
+            LOG.debug("Password is weak because it contains no digits.")
+            return False
+    if conf.getboolean('special_required', False):
+        if not any([special in password for special in '!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~']):
+            LOG.debug("Password is weak because it contains no special characters.")
+            return False
+    # password dictionary check
+    if conf.getboolean('dictionary_check_enabled', False):
+        with open(conf['dictionary_file'], 'rt') as dictionary_file:
+            for line in dictionary_file:
+                if line.isspace():
+                    continue
+                pattern = line.rstrip().lower()
+                if pattern in password.lower():
+                    LOG.debug("Password is weak because its part is present in dictionary.")
+                    return False
+    # return True if not yet returned (password is strong)
+    LOG.info("Password quality check passed.")
+    return True
+
+
 class Error(Exception):
     pass
 

dictionary_example.txt

@@ -0,0 +1,3 @@
+password
+changeme
+testtest

settings.ini.example

@@ -20,6 +20,15 @@ search_filter = uid={uid}
 #base = ou=People,dc=example,dc=org
 #search_filter = uid={uid}
 
+# Uncomment following lines to enable password quality checks
+#[password_quality]
+#min_length = 8
+#mixed_case_required = true
+#digit_required = true
+#special_required = false
+#dictionary_check_enabled = true
+#dictionary_file = dictionary_example.txt
+
 [server]
 server = auto
 host = localhost