Private/ChangePassword.html

   1 <html>
   2 <head>
   3 <title>Change Password</title>
   4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
   5         ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
   6         "";
   7 </SCRIPT>
   8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
   9 <SCRIPT TYPE="text/ssperl" SRC="./JavaScript/CGIscriptorSession.js"></SCRIPT>
  10
  11 window.onload = function() {
  12         loadSessionData (CGIscriptorSessionType, CGIscriptorChallengeTicket);
  13         return true;
  14 };
  15
  16
  17 </SCRIPT>
  18
  19 <script type="text/javascript">
  20 <SCRIPT TYPE="text/ssperl" SRC="./JavaScript/sha.js"></SCRIPT>
  21 </script>
  22
  23 </head>
  24 <body>
  25 <p ALIGN=RIGHT><a href="index.html?LOGOUT">Logout</a></p>
  26 <p ALIGN=RIGHT><a href="index.html">Home page</a><br />
  27 <a href="CreateUser.html">Create New User Account</a></p>
  28 <h1 align=CENTER>Change the password for user <em><script type="text/ssperl" CGI='$LOGINUSERNAME=""'>$LOGINUSERNAME</script></em></h1>
  29 <p>
  30 <form method="POST" action="index.html" id="LoginForm"
  31         onSubmit='if(! check_password_fields())return false;EncryptNewPassword("CGIUSERNAME");HashPassword("<SCRIPT TYPE="text/ssperl">
  32         $RANDOMSALT</SCRIPT>");hidePasswords();true'>
  33 <div style="margin-left: 30%; margin-right: 30%; text-align: left">
  34 <table>
  35         <tr>
  36                 <td style="text-align: right">Old Password:</td>
  37                 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="60" /></td>
  38         </tr>
  39         <tr>
  40                 <td style="text-align: right">New Password:</td>
  41                 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="60" />
  42         </td>
  43         </tr>
  44         <tr>
  45                 <td style="text-align: right">Repeat:</td>
  46                 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="60" onChange="check_password_fields();"/></td>
  47         </tr>
  48         <tr>
  49                 <td></td>
  50                 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" />
  51                 <input type="button" id="revealpassword" value="Show Passwords" onClick="this.value=togglePasswords('Hide', 'Show', this.value);true" />
  52                 </td>
  53         </tr>
  54 </table>
  55   <input type="hidden" name="CGIUSERNAME" id="CGIUSERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
  56   <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
  57   <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
  58   <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
  59   <input type="hidden" name="SESSIONTICKET" id="SESSIONTICKET"value="" />
  60   <input type="hidden" name="CHALLENGETICKET" id="CHALLENGETICKET" />
  61 </div>
  62 </form>
  63 </p>
  64 <h2 align=CENTER>Strong Passwords: It is so easy</h2>
  65 <h3 align=CENTER>If you only could see what you are typing</h3>
  66
  67 <p style="margin-left: 20%; margin-right: 20%; text-align: center">
  68 <a href="http://xkcd.com/936/" target="_blank"><img src="http://imgs.xkcd.com/comics/password_strength.png" width="60%" /></a>
  69 </p>
  70 <p style="margin-left: 30%; margin-right: 30%; text-align: center">
  71 <font style="font-size: small">
  72 <em>
  73         Note: For the procedures used at this site, a basic computer setup can check a billion passwords per second. You need
  74         a password (or phrase) strength in the order of 56 bits to be a little secure (one year on a single computer). One of
  75         the largest network in the world, Bitcoin mining, can check some 12 terahashes per second (June 2012). This
  76         corresponds to checking 6 times 10<sup>12</sup> passwords per second.
  77         It would take a passwords strength of ~68 bits to keep the equivalent of
  78         the Bitcoin computer network occupied for around a year before it found
  79         a match.<br />
  80         An example whould be the phrase '</em>sherlock investigates oleander curry in bath<em>'.
  81 </em>
  82 </font>
  83 </p>
  84 <p style="margin-left: 30%; margin-right: 30%; text-align: justify">
  85 Your password might be vulnerable to <a href=
  86 "https://en.wikipedia.org/wiki/Brute_force_attack"><em>brute force
  87 </em></a> guessing. Protections against such attacks are costly in
  88 terms of code complexity, bugs, and execution time.<br /> However,
  89 there is a very simple and secure counter measure. See the <a href=
  90 "http://xkcd.com/936/" target="_blank">XKCD comic</a> above. The
  91 phrase, <em>There is no password like more password</em> would be
  92 both much easier to remember, and still stronger than <em>h4]D%@m:49
  93 </em>, at least before this phrase was pasted as an example on the
  94 Internet.<br /> Please be so kind and add the name of your favorite
  95 flower, dish, fictional character, or small town to your password.
  96 Say, <em>Oleander</em>, <em>Curry</em>, <em>Sherlock</em>, or <em>Bath</em>
  97 (each adds ~12 bits) or even the phrase <em>Sherlock investigates
  98 oleander curry in Bath</em> (adds &gt; 56 bits, note that oleander is
  99 <em>poisonous</em>, so do not try this curry at home). That would be
 100 more effective than adding a thousand rounds of encryption. Typing
 101 long passwords without seeing what you are typing is problematic. So
 102 a button should be included to make password visible.
 103 </p>
 104 <p>
 105         <hr>
 106 </p>
 107 <p>
 108 The Salt and Ticket values are all created using SHA256 on 64 Byte of output from <em>/dev/urandom</em> in HEX.
 109 </p>
 110 <FONT STYLE="font-size:small">
 111 <p> Example Login page for CGIscriptor.pl<br />
 112     Copyright &copy; 2012  R.J.J.H. van Son<br />
 113     This program is free software: you can redistribute it and/or modify
 114     it under the terms of the GNU General Public License as published by
 115     the Free Software Foundation, either version 3 of the License, or
 116     (at your option) any later version.
 117     This program is distributed in the hope that it will be useful,
 118     but WITHOUT ANY WARRANTY; without even the implied warranty of
 119     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 120     GNU General Public License for more details.<br />
 121     You should have received a copy of the GNU General Public License
 122     along with this program.  If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
 123 </p>
 124 <p> A JavaScript implementation of the SHA family of hashes, as defined in FIPS
 125         PUB 180-2 as well as the corresponding HMAC implementation as defined in
 126         FIPS PUB 198a<br />
 127         Version 1.3 Copyright Brian Turek 2008-2010
 128         Distributed under the BSD License<br />
 129         See <a href="http://jssha.sourceforge.net/">http://jssha.sourceforge.net/</a> for more information<br />
 130         Several functions taken from Paul Johnson
 131 </p>
 132 </FONT>
 133
 134 </body>
 135 </html>