PHP password strength detector script

Jerry Low — Wed, 17 Feb 2010 08:23:34 +0000

If you operate a user registration script on your website you may want to ensure users are protected. There are certain aspects of this you cannot control such as the user's self selected password. Here I have a script that will detect the user's password strength and base on that you could reject the password or just make notice to the user their password's strength.

Basically we're checking against a few things here and we give a rating to each criteria and then add up the final score to see where they rank. Here is what we'll be checking against:

Length – 10 Points
Lower Case Characters – 20 Points
Upper Case Characters – 20 Points
Numbers – 20 Points
Special Characters – 30 Points

The points are given based on how much value they may add to the password. Enough talking I present you the function:

function password_strength($password, $display = TRUE) {
//Strength Scoring
$pass_score = 0;

$pass_len = FALSE;
$pass_lc = FALSE;
$pass_uc = FALSE;
$pass_num = FALSE;
$pass_weird = FALSE;

//Pad
$password = 0 . $password;

//Check Length
if (strlen($password)>6) $pass_len = TRUE;

//Check Lowercase Characters
for ($i = 97; $i <=122; $i++) {
if (@strpos($password, chr($i))) $pass_lc = TRUE;
}

//Check Uppercase Characters
for ($i = 65; $i <=90; $i++) {
if (@strpos($password, chr($i))) $pass_uc = TRUE;
}

//Check Numbers
for ($i = 48; $i <=57; $i++) {
if (@strpos($password, chr($i))) $pass_num = TRUE;
}

//Check Weird Characters
for ($i = 33; $i <=126; $i++) {
//Excempt
if (($i>47 && $i<58) || ($i>64 && $i<91) || ($i>96 && $i<123)) {
//Null
} else {
if (@strpos($password, chr($i))) $pass_weird = TRUE;
}
}

//Points
if ($pass_len) $pass_score = $pass_score + 10;
if ($pass_lc) $pass_score = $pass_score + 20;
if ($pass_uc) $pass_score = $pass_score + 20;
if ($pass_num) $pass_score = $pass_score + 20;
if ($pass_weird) $pass_score = $pass_score + 30;

//Displaying
if ($display) {
echo '

';

if ($pass_score <= 40) echo '

WEAK

';
if ($pass_score > 40 && $pass_score < 70) echo '

AVERAGE

';
if ($pass_score >= 71) echo '

STRONG

';

echo '

';
}

return $pass_score;
}

The script itself has a built in display bar which will visuallize how strong or weak the password maybe which could turn off. Here's an example of calling the script:

$password = "GoodBoy";

//Showing the Password Strength with Visual Bar
password_strength($password);

//Not Showing anything at all but storing strength as a variable
$strength = password_strength($password, FALSE);

Secure PHP login without database

Jerry Low — Fri, 23 Oct 2009 22:55:09 +0000

Although not recommended but maybe for some reason you need to create a PHP login without the use of any database (SQL). For some reason you maybe scared to approach, but here I made a script that is fairly secure without utilizing any database at all. It allows users to login and stay logged in. If you are one of those people then here's the script for you.

Now this script does not use any external files to store user names and password as it opens up more security flaws for hackers, so everything is managed in an array within the PHP. If somebody was able to get a hold of your PHP file this will compromise things but the chances of that happening is fairly close to utilizing a database.

Features

Utilizes cookies to give users ability to stay logged in across multiple pages
Secure login algorithm mitigates hacking attempts

Drawbacks

Now by not utilizing a database there are some drawbacks and they are:

Users cannot change password and user names manually
Users can attempt login as many times as they want

With that said, it means that usernames and passwords must be managed by an admin. If this is still something for you. If this is not for you wait around because I will convert this script into a database version in the future.

Less Talk More Script

Installation:

Just download all the necessary files which includes:

_login.php
_login_page.php
_login_class.php
_login_users.php
login.php
logout.php

Once you put these in your root folder you need to edit the users and settings. Open up _login_users.php and you'll see:

//My Login Script
//Attach this to any page that requires Login

//Users and Settings
$domain_code = 'website'; //Alpha Numeric and no space
$random_num_1 = 20; //Pick a random number between 1 to 500
$random_num_2 = 565; //Pick a random number between 500 to 1000
$random_num_3 = 3; //Pick a random number between 1 to 3

//Usernames can contain alphabets, numbers, hyphens and underscore only
//Set users below – Just add " => " with the first " being
//the username and the second " after the => being the password.
//Its an array so add an , after every password except for the
//last one in the list. As shown below
//Eg. $users = array(
// 'user1' => 'password',
// 'user2' => 'password'
// );

$users = array(
'user1' => 'password',
'user2' => 'password'
);

Modify the domain code and three random numbers. The three random numbers is the key that makes login secure and unique to your website only. Then at the bottom you can create all of your users.

Now in every page that you require the user to login just add the following code to the very top of the page, exactly on line 1.

require('_login.php'); ?>

That's pretty much all you need to do to install the secure login script. The only other thing if you want is you can edit _login_page.php. That's the page people see when they need to login.

Login and Logout

You can lead users to login and logout with links to login.php and logout.php as such.

Displaying Macors

In this case the only macro you can call up is the username after they have logged in. You can call it in a welcome back message like this (placed in your HTML).

Welcome back echo $login->username; ?>

Download the files:
PHP Login Without Database.zip

CrankBerry Blog » Security

PHP password strength detector script

Secure PHP login without database

Less Talk More Script