You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/11/22 12:50:40 UTC

[1/2] git commit: updated refs/heads/4.6 to 3f7a86d

Repository: cloudstack
Updated Branches:
  refs/heads/4.6 7a77ddcd8 -> 3f7a86d8e


CLOUDSTACK-9052 Shuffling the password to avoid having a subset of characters in fixed positions.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/52ccfaac
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/52ccfaac
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/52ccfaac

Branch: refs/heads/4.6
Commit: 52ccfaac0cb59163c408e1d465f0dffa40f1062b
Parents: e1cc673
Author: nnesic <ne...@greenqloud.com>
Authored: Tue Nov 10 17:22:31 2015 +0000
Committer: nnesic <ne...@greenqloud.com>
Committed: Thu Nov 19 13:17:20 2015 +0000

----------------------------------------------------------------------
 .../java/com/cloud/utils/PasswordGenerator.java | 25 +++++++++----
 .../com/cloud/utils/PasswordGeneratorTest.java  | 39 ++++++++++++++++----
 2 files changed, 48 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/52ccfaac/utils/src/main/java/com/cloud/utils/PasswordGenerator.java
----------------------------------------------------------------------
diff --git a/utils/src/main/java/com/cloud/utils/PasswordGenerator.java b/utils/src/main/java/com/cloud/utils/PasswordGenerator.java
index 0d79143..3ba54f2 100644
--- a/utils/src/main/java/com/cloud/utils/PasswordGenerator.java
+++ b/utils/src/main/java/com/cloud/utils/PasswordGenerator.java
@@ -20,6 +20,9 @@
 package com.cloud.utils;
 
 import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.Random;
 
 /**
@@ -48,14 +51,19 @@ public class PasswordGenerator {
                 password.append(generateAlphaNumeric(r));
             }
         } else {
-            // Generate random 3-character string with a lowercase character,
-            // uppercase character, and a digit
-            password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r));
-
-            // Generate a random n-character string with only lowercase
-            // characters
-            for (int i = 0; i < num - 3; i++) {
-                password.append(generateLowercaseChar(r));
+            List<Character> passwordChars = new ArrayList<Character>();
+            passwordChars.add(generateLowercaseChar(r));
+            passwordChars.add(generateUppercaseChar(r));
+            passwordChars.add(generateDigit(r));
+
+            for (int i = passwordChars.size(); i < num; i++) {
+                passwordChars.add(generateAlphaNumeric(r));
+            }
+
+            Collections.shuffle(passwordChars, new SecureRandom());
+
+            for (char c : passwordChars) {
+                password.append(c);
             }
         }
 
@@ -87,4 +95,5 @@ public class PasswordGenerator {
         return psk.toString();
 
     }
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/52ccfaac/utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java
----------------------------------------------------------------------
diff --git a/utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java b/utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java
index 413b866..e71436d 100644
--- a/utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java
+++ b/utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java
@@ -30,13 +30,36 @@ public class PasswordGeneratorTest {
         Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 3);
         Assert.assertTrue(PasswordGenerator.generateRandomPassword(5).length() == 5);
         String password = PasswordGenerator.generateRandomPassword(8);
-        // TODO: this might give more help to bruteforcing than desired
-        // the actual behavior is that the first character is a random lowercase
-        // char
-        Assert.assertTrue(Character.isLowerCase(password.charAt(0)));
-        // the second character is a random upper case char
-        Assert.assertTrue(Character.isUpperCase(password.charAt(1)));
-        // and the third is a digit
-        Assert.assertTrue(Character.isDigit(password.charAt(2)));
+
+        Assert.assertTrue(containsDigit(password));
+        Assert.assertTrue(containsLowercase(password));
+        Assert.assertTrue(containsUppercase(password));
+    }
+
+    private boolean containsUppercase(String password) {
+        for (char c : password.toCharArray()) {
+            if (Character.isUpperCase(c)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean containsLowercase(String password) {
+        for (char c : password.toCharArray()) {
+            if (Character.isLowerCase(c)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean containsDigit(String password) {
+        for (char c : password.toCharArray()) {
+            if (Character.isDigit(c)) {
+                return true;
+            }
+        }
+        return false;
     }
 }

[2/2] git commit: updated refs/heads/4.6 to 3f7a86d

Posted by re...@apache.org.

Merge pull request #1058 from greenqloud/pr/password_security

Shuffling the password to avoid having a subset of characters in fixed positions.Related to CLOUDSTACK-9052.

I am shuffling the characters in the password, to avoid having a certain char type in fixed positions. I modified the tests accordingly to only check that the different character types are present.

I think it would be good to remove the hard requirement to have at least one of digits, upper-case, and  lowercase chars, as it reduces the number of possible combinations passwords can take. What do you think?

* pr/1058:
  CLOUDSTACK-9052 Shuffling the password to avoid having a subset of characters in fixed positions.

Signed-off-by: Remi Bergsma <gi...@remi.nl>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3f7a86d8
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3f7a86d8
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3f7a86d8

Branch: refs/heads/4.6
Commit: 3f7a86d8efac3b198040be09f359727a6798dbf3
Parents: 7a77ddc 52ccfaa
Author: Remi Bergsma <gi...@remi.nl>
Authored: Sun Nov 22 12:46:31 2015 +0100
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Sun Nov 22 12:46:32 2015 +0100

----------------------------------------------------------------------
 .../java/com/cloud/utils/PasswordGenerator.java | 25 +++++++++----
 .../com/cloud/utils/PasswordGeneratorTest.java  | 39 ++++++++++++++++----
 2 files changed, 48 insertions(+), 16 deletions(-)
----------------------------------------------------------------------