Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Password complexity Case Problem
Wondered if someone could give me a technical hand on the function
script below. We're testing implementation of the Oracle password
complexity function for use with an application. I took the generic
Oracle-supplied function script and modified it in a couple of ways,
principally so it would more closely match our network password
complexity tests. That way users have the same set of rules on both
systems.
It seems to work ok, except for the upper case/Lower case test. Oracle's generic script had one 52-character array, basically the alphabet in both cases, and it's routine checked the password until it found a matching character in that array. I split that into two arrays, lowerchararray and upperchararray, and two separate tests. This facilitates the rule of the user's password having to meet three out of any four criteria (one upper case, one lower case, one special character and one digit).
Thing is the routine seems to be "case-blind"..the other rules work, but does not seem to care about case. Perhaps the "substr" function is making the routine "case neutral"?
Thanks!
=====================verify_function====================CREATE OR REPLACE FUNCTION verify_function (username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
complexitysum integer;
isdigit boolean; ischar boolean; ispunct boolean;
BEGIN
complexitysum:= 0;
digitarray:= '0123456789';
lowerchararray:= 'abcdefghijklmnopqrstuvwxyz';
upperchararray:= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
punctarray:='!"#$%&()''*+,-/:;<=>?_@';
--Check if the password is same as the username
IF password = username THEN
raise_application_error(-20001, 'Password must not be same as user
ID');
END IF;
--Check for the minimum length of the password
IF length(password) < 8 THEN
raise_application_error(-20002, 'Password length must not be less
than 8');
END IF;
--Check if the password contains at least one upper case letter,
--one lower case letter, one digit and/or one punctuation mark.
--1. Check for the digit
isdigit:=FALSE;
m := length(password);
FOR i IN 1..10 LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(digitarray,i,1) THEN
isdigit:=TRUE; complexitysum:= complexitysum + 1; GOTO findupperchar;
<<findupperchar>>
ischar:=FALSE;
FOR i IN 1..length(upperchararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(upperchararray,i,1) THEN
ischar:=TRUE; complexitysum:= complexitysum + 1; GOTO findlowerchar; END IF;
<<findlowerchar>>
ischar:=FALSE;
FOR i IN 1..length(lowerchararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(lowerchararray,i,1) THEN
ischar:=TRUE; complexitysum:= complexitysum + 1; GOTO findpunct; END IF;
<<findpunct>>
ispunct:=FALSE;
FOR i IN 1..length(punctarray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(punctarray,i,1) THEN
ispunct:=TRUE; complexitysum:= complexitysum + 1; GOTO complexityeval; END IF;
--Everything is fine; return TRUE ;
RETURN(TRUE);
END;
/
Received on Fri Nov 21 2003 - 11:36:58 CST