3 <title>Change Password
</title>
4 <SCRIPT TYPE=
"text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'
>
5 ::create_login_file(
"~/Private/.Passwords",
"~/Private/.Sessions", $REMOTE_ADDR);
8 <SCRIPT type=
"text/javascript" LANGUAGE=
"JavaScript">
9 <SCRIPT TYPE=
"text/ssperl" SRC=
"./JavaScript/CGIscriptorSession.js"></SCRIPT>
11 window.onload = function() {
12 loadSessionData (CGIscriptorSessionType, CGIscriptorChallengeTicket);
19 <script type=
"text/javascript">
20 <SCRIPT TYPE
="text/ssperl" SRC
="./JavaScript/sha.js"></SCRIPT
>
25 <p ALIGN=RIGHT
><a href=
"index.html?LOGOUT">Logout
</a></p>
26 <p ALIGN=RIGHT
><a href=
"index.html">Home page
</a><br />
27 <a href=
"CreateUser.html">Create New User Account
</a></p>
28 <h1 align=CENTER
>Change the password for user
<em><script type=
"text/ssperl" CGI='$
LOGINUSERNAME=
""'
>$LOGINUSERNAME
</script></em></h1>
30 <form method=
"POST" action=
"index.html" id=
"LoginForm"
31 onSubmit='if(! check_password_fields())return false;EncryptNewPassword(
"CGIUSERNAME");HashPassword(
"<SCRIPT TYPE="text/ssperl
">
32 $RANDOMSALT</SCRIPT>");hidePasswords();true'
>
33 <div style=
"margin-left: 30%; margin-right: 30%; text-align: left">
36 <td style=
"text-align: right">Old Password:
</td>
37 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"PASSWORD" id=
"PASSWORD" size=
"60" /></td>
40 <td style=
"text-align: right">New Password:
</td>
41 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORD" id=
"NEWPASSWORD" size=
"60" />
45 <td style=
"text-align: right">Repeat:
</td>
46 <td style=
"text-align: left"><input type=
"PASSWORD" name=
"NEWPASSWORDREP" id=
"NEWPASSWORDREP" size=
"60" onChange=
"check_password_fields();"/></td>
50 <td style=
"text-align: left"><input type=
"submit" id=
"SUBMIT" value=
"Change" style=
"color: Gray" />
51 <input type=
"button" id=
"revealpassword" value=
"Show Passwords" onClick=
"this.value=togglePasswords('Hide', 'Show', this.value);true" />
55 <input type=
"hidden" name=
"CGIUSERNAME" id=
"CGIUSERNAME" size=
"20" value=
<SCRIPT type=
"text/ssperl">$LOGINUSERNAME
</SCRIPT> />
56 <input type=
"hidden" name=
"SERVERSALT" id=
"SERVERSALT" value=
"<SCRIPT TYPE="text/ssperl
">$SERVERSALT</SCRIPT>" />
57 <input type=
"hidden" name=
"RANDOMSALT" id=
"RANDOMSALT" value=
"<SCRIPT TYPE="text/ssperl
">$RANDOMSALT</SCRIPT>" />
58 <input type=
"hidden" name=
"LOGINTICKET" id=
"LOGINTICKET" value=
"<SCRIPT TYPE="text/ssperl
">$LOGINTICKET</SCRIPT>" />
59 <input type=
"hidden" name=
"SESSIONTICKET" id=
"SESSIONTICKET"value=
"" />
60 <input type=
"hidden" name=
"CHALLENGETICKET" id=
"CHALLENGETICKET" />
64 <h2 align=CENTER
>Strong Passwords: It is so easy
</h2>
65 <h3 align=CENTER
>If you only could see what you are typing
</h3>
67 <p style=
"margin-left: 20%; margin-right: 20%; text-align: center">
68 <a href=
"http://xkcd.com/936/" target=
"_blank"><img src=
"http://imgs.xkcd.com/comics/password_strength.png" width=
"60%" /></a>
70 <p style=
"margin-left: 30%; margin-right: 30%; text-align: center">
71 <font style=
"font-size: small">
73 Note: For the procedures used at this site, a basic computer setup can check
1 billion passwords per second. You need
74 a password (or phrase) strength in the order of
56 bits to be a little secure (one year on a single computer).
<br />
75 An example whould be the phrase '
</em>sherlock curry oleander
<em>'.
79 <p style=
"margin-left: 30%; margin-right: 30%; text-align: justify">
80 Your password might be vulnerable to
<a href=
"https://en.wikipedia.org/wiki/Brute_force_attack"><em>brute force
</em></a> guessing.
81 Protections against such attacks are costly in terms of code complexity, bugs, and execution time.
<br />
82 However, there is a very simple and secure counter measure. See the
<a href=
"http://xkcd.com/936/" target=
"_blank">XKCD comic
</a>
83 above. The phrase,
<em>There is no password like more password
</em> would be both much easier to remember, and still stronger than
84 <em>h4]D%@m:
49</em>, at least before this phrase was pasted as an example on the Internet.
<br />
85 Please be so kind and add the name of your favorite flower, dish, or fictional character to your password.
86 Say,
<em>Oleander
</em>,
<em>Curry
</em>, or
<em>Sherlock
</em> (each adds
20 bits or more according to Google Ngram viewer)
87 or even the phrase
<em>Sherlock hates curry with oleander
</em> (adds ~
94 bits, note that oleander is
88 <em>poisonous
</em>, so do not try this curry at home).
89 That would be more effective than adding a million rounds of encryption.
<br />
90 Typing long passwords without seeing what you are typing is problematic. So a
91 button is included to make password visible.
97 The Salt and Ticket values are all created using SHA256 on
64 Byte of output from
<em>/dev/urandom
</em> in HEX.
99 <FONT STYLE=
"font-size:small">
100 <p> Example Login page for CGIscriptor.pl
<br />
101 Copyright
© 2012 R.J.J.H. van Son
<br />
102 This program is free software: you can redistribute it and/or modify
103 it under the terms of the GNU General Public License as published by
104 the Free Software Foundation, either version
3 of the License, or
105 (at your option) any later version.
106 This program is distributed in the hope that it will be useful,
107 but WITHOUT ANY WARRANTY; without even the implied warranty of
108 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
109 GNU General Public License for more details.
<br />
110 You should have received a copy of the GNU General Public License
111 along with this program. If not, see
<a href=
"http://www.gnu.org/licenses/">http://www.gnu.org/licenses/
</a>.
113 <p> A JavaScript implementation of the SHA family of hashes, as defined in FIPS
114 PUB
180-
2 as well as the corresponding HMAC implementation as defined in
116 Version
1.3 Copyright Brian Turek
2008-
2010
117 Distributed under the BSD License
<br />
118 See
<a href=
"http://jssha.sourceforge.net/">http://jssha.sourceforge.net/
</a> for more information
<br />
119 Several functions taken from Paul Johnson