Thread: PwdFilt

I have downloaded and have been playing around with the PasswordFilters sample which is found in the Microsoft Platform SDK.

As a VB.NET developer, I am stumped as to how to modify this to allow for a minimum of 1 letter (a-z) or 1 special character (#,$,@,_) AND 1 number. The letters and numbers are not a problem. It is detecting the 4 special characters which I am having problems with.

Does anybody have any suggestions on how to do this?

Here is what has been attempted within the PasswordFilter function:

Code:

      for (i = 0 ; i < cchPassword ; i++)
      {

         //
         // keep track of what type of characters we have encountered
         //

         if (CharType[i] & C1_DIGIT)
         {
            dwNum = 1;
            continue;
         }

         if (CharType[i] & C1_UPPER | C1_LOWER)
         {
            dwChar = 1;
            continue;
         }

         if (!(CharType[i] & (C1_ALPHA | C1_DIGIT) ))
         {
            //
            // any other character types make the password complex
            //

                //Password->Buffer is a Pointer and cannot be used in this manner
                //This is here to demonstrate what I am trying to achieve.
	switch(Password->Buffer[i])
	{
	case '#': case '$': case '@': case '_':
		dwChar = 1;
		break;
	default:
		break;
	}
            continue;
			
         }
      } // for

Thanks,
Jody

Sorry, I should have been more specific in my first post.

As previously mentioned, I have downloaded and have been playing around with the PasswordFilters sample which is found in the Microsoft Platform SDK.

I would like to modify this function to allow for a minimum of 1 letter (a-zA-Z) or 1 special character (#,$,@,_) AND 1 number. The letters and numbers are not a problem. It is detecting the 4 special characters which I am having problems with.

GetStringTypeW is used to get the character type from a PUNICODE_STRING. If the type is NOT C1_ALPHA or C1_DIGIT, we would like to look at the actual character value (from PUNICODE_STRING) to determine if it is one of (#,$,@,_). If it is NOT any of these characters, then an invalid character has been entered and we would break out of the loop and return FALSE to indicate an invalid password.

Any other suggestions?

The full function (unedited) is:

Code:

BOOL
NTAPI
PasswordFilter(
              PUNICODE_STRING UserName,
              PUNICODE_STRING FullName,
              PUNICODE_STRING Password,
              BOOL SetOperation
              )
/*++

Routine Description:

    This (optional) routine is notified of a password change.

Arguments:

    UserName - Name of user whose password changed

    FullName - Full name of the user whose password changed

    NewPassword - Cleartext new password for the user

    SetOperation - TRUE if the password was SET rather than CHANGED

Return Value:

    TRUE if the specified Password is suitable (complex, long, etc).
     The system will continue to evaluate the password update request
     through any other installed password change packages.

    FALSE if the specified Password is unsuitable. The password change
     on the specified account will fail.

--*/
{
   BOOL bComplex = FALSE; // assume the password in not complex enough
   DWORD cchPassword;
   PWORD CharType;
   DWORD i;
   DWORD dwNum = 0;
   DWORD dwUpper = 0;
   DWORD dwLower = 0;


   //
   // check if the password is complex enough for our liking by
   // checking that at least two of the four character types are
   // present.
   //

   CharType = HeapAlloc(GetProcessHeap(), 0, Password->Length);
   if (CharType == NULL) return FALSE;

   cchPassword = Password->Length / sizeof(WCHAR);

   if (GetStringTypeW(
                     CT_CTYPE1,
                     Password->Buffer,
                     cchPassword,
                     CharType
                     ))
   {

      for (i = 0 ; i < cchPassword ; i++)
      {

         //
         // keep track of what type of characters we have encountered
         //

         if (CharType[i] & C1_DIGIT)
         {
            dwNum = 1;
            continue;
         }

         if (CharType[i] & C1_UPPER)
         {
            dwUpper = 1;
            continue;
         }

         if (CharType[i] & C1_LOWER)
         {
            dwLower = 1;
            continue;
         }

         if (!(CharType[i] & (C1_ALPHA | C1_DIGIT) ))
         {

            //
            // any other character types make the password complex
            //

            dwNum = 2;

            break;
         }
      } // for

      //
      // Indicate whether we encountered enough password complexity
      //

      if ( (dwNum + dwUpper + dwLower) >= 2 )
         bComplex = TRUE;

      ZeroMemory( CharType, Password->Length );
   } // if

   HeapFree(GetProcessHeap(), 0, CharType);

   return bComplex;
}

Thanks,
Jody

So I think the question then is, what kind of characters you're using? '#', '$', etc. are just plain chars. If you're using wchar_t or tchar, then you would need to use character literals of the same type.

From what I understand (through reading and testing), is that this function gets called whenever a user (or admin) attempts to change an Active Directory password. We would like to validate the newly entered password to ensure that it meets our criteria (mentioned above). As a .NET programmer, I am not sure on how to get, and compare, the character values associated with the Password->Buffer pointer.

You access bits of a character array like you access bits of any other array. So Password->Buffer[0] is the first character, Password->Buffer[1] is the next, etc.

Inside of the loop, Password->Buffer[i] does not work. This is a pointer and not the actual character value. I am unsure on how to get the character to which the pointer is referencing.

Originally Posted by jgelowitz

Inside of the loop, Password->Buffer[i] does not work. This is a pointer and not the actual character value. I am unsure on how to get the character to which the pointer is referencing.

You keep saying this, but it is not in fact true. Password->Buffer is a pointer, yes. Password->Buffer[i] is a character -- specifically, it's a wide character. So, for instance (excuse the mix of C++ and C):

Code:

#include <windows.h>
#include <ntsecapi.h>
#include <cstdio>
int main(void) {

    PUNICODE_STRING bob = new UNICODE_STRING;
    bob->Buffer = L"This is a string.";
    bob->Length = 17;
    for (int i = 0; i < bob->Length; i++) {
        printf("%lc\n", bob->Buffer[i]);
    }
    system("PAUSE");
    return 0;
}

In other words, I don't get any syntax errors from your original code, and as much as I am able to test it it works correctly. If you are having problems, you will have to break down and actually tell us what they are.

Thank you all for your comments. With your suggestions, here is a solution which does what we are looking for:

Code:

BOOL
NTAPI
PasswordFilter(
              PUNICODE_STRING UserName,
              PUNICODE_STRING FullName,
              PUNICODE_STRING Password,
              BOOL SetOperation
              )
{
   BOOL bComplex = FALSE; // assume the password in not complex enough
   DWORD i;
   DWORD dwNum = 0;
   DWORD dwAlpha = 0;

    size_t  count;
    char    *pstrPwd = (char *)malloc( Password->Length / sizeof(WCHAR) );

    count = wcstombs(pstrPwd, Password->Buffer, Password->Length / sizeof(WCHAR) );

if (count <= 10)
{
	for (i = 0; i < count; i++)
	{
		if(isalpha(pstrPwd[i]))
		{
			dwAlpha = 1;
		}
		else if(isdigit(pstrPwd[i]))
		{
			dwNum = 1;
		}
		else
		{
			if (!(pstrPwd[i] == '@' || pstrPwd[i] == '#' || pstrPwd[i] == '$' || pstrPwd[i] == '_'))
			{
				dwAlpha = 0;
				dwNum = 0;
				break;
			}

		}
	}

      if ( (dwNum + dwAlpha) >= 2 )
         bComplex = TRUE;
}

	ZeroMemory(pstrPwd, count);

    free(pstrPwd);

   return bComplex;
}