Selection Structures - Password Strength
In almost every instance in which we want to solve a problem, we choose between different options depending on whether certain conditions are met. Computer programs are built to solve problems, therefore they should have a structure that allows them to make decisions and select alternatives. In C++, selections are structured using if
, else
, else if
or switch
. Relational expressions and logical operators are common when handling selection structures. In this laboratory experience, you will practice the use of some of these selection structures by completing the design of an application that determines the strength of a password.
Objectives:
- Use relational expressions and select adequate logical operators to make decisions.
- Apply selection structures.
Pre-Lab:
Before you get to the laboratory you should have:
Reviewed the following concepts:
a. logical operators.
b.
if
,else
,else if
.Reviewed the use of objects of the
string
class and itslength()
method.Studied the concepts and instructions for this laboratory session.
Taken the Pre-Lab quiz, available in Moodle.
Password Strength
Using strong passwords is essential to securing information. A password is considered strong if it is not cost-effective for a hacker to try and guess it using multiple methods or brute force. For example, a password that consists of a simple dictionary word, without digits, symbols or uppercase letters, is so easy to decipher that even a caveman could do it.
Since an official system to measure password strength doesn't exist, we will use formulas created by the passwordmeter to evaluate the general strength of a given password [1]. We recommend that you play around a bit with the application in http://passwordmeter.com so that you understand how the application you will be implementing should behave. The strength of the password will be quantified by adding points for using good techniques of password selection (like using symbols and letters), and subtracting points for using bad habits (like only using lowercase letters or consecutive symbols of the same type).
The following tables review the added and subtracted values for various criteria in passwords.
Assigning Points to a Password
Adding Points:
Category | Points | Notes | |
---|---|---|---|
1. | Number of characters | is the length of the password | |
2. | Uppercase letters | is the number of uppercase letters | |
3. | Lowercase letters | is the number of lowercase letters | |
4. | Digits | is the number of digits | |
5. | Symbols | is the number of symbols | |
6. | Digits or symbols in the middle | is the number of digits or symbols in the middle | |
7. | Requisites | is the number of criteria that are met |
Table 1. Positive criteria for password strength.
What follows are some additional details and examples for the criteria of adding points.
Number of Characters: this is the simplest criteria. The score will be times the length of the password. For example,
"ab453"
has a count of and a score of .Uppercase Letters: the score is if the password consists of a mix of uppercase letters and at least another type of character (lowercase, digits, symbols). If not, the score is . For example:
a. The score for
"ab453"
would be since it doesn't have uppercase letters (the count is also ).b. The score for
"ALGO"
would be since it only has uppercase letters (the count is ).c. The score for
"SANC8in"
would be since the password has a length of , has uppercase letters, and contains characters of another type (the count is ).Lowercase Letters: the score is if the password is a mix of lowercase letters and at least another type of character (uppercase, digits, symbols). If not, the score is . For example:
a. The score for
"ab453"
would be because the password has a length of, has lowercase letters, and contains characters of another type. The count is .b. The score for
"ALGO"
would be because it doesn't have lowercase letters. The count is .c. The score for
"sancochin"
would be because it only has lowercase letters. The count is .Digits: the score is if the password consists of a mix of digits and at least another type of character (lowercase, uppercase, symbols). If not, the score is . For example:
a. The score for
"ab453"
would be because the password contains digits and contains characters of another type.b. The score for
"ALGO"
would be because it doesn't have digits.c. The score for
801145555
would be because it only has digits.Symbols: the score is if the password contains symbols. Otherwise, the score is . For example:
a. The score for
"ab453"
would be because it does not contain symbols.b. The score for
"ALGO!!"
would be because it contains symbols and contains other types of characters.c. The score for
"---><&&"
would be because it contains symbols. Note that in the case of symbols, points are given even when there aren't other types of characters.Digits or Symbols in the Middle: the score is if the password has symbols or digits that are not in the first or last position. For example:
a. The score for
"ab453"
would be because it has 2 digits that are not in the first or last position, these are4
and5
.b. The score for
"ALGO!"
would be because it does not contain digits or symbols in the middle, the only symbol is in the last position.c. The score for
S&c8i7o!
would be because it has symbols or digits in the middle, these are&
, 8, and
7`.Requisites: the score is only if the length criteria and 3 or 4 of the other criteria are met, where is the number of criteria that is met. The criteria are:
a. The password must have 8 or more characters of length.
b. The password must have:
Uppercase letters
Lowercase letters
Numbers
Symbols
Each of the items listed in part b. count as one individual criteria. For example:
i. The score for
"ab453"
would be {% math %}0{% endmath %} because the criteria for length is not met.ii. The score for
"abABCDEF"
would be {% math %}0{% endmath %} because, despite the fact that the length criteria is met, only 2 of the 4 other criteria are met (uppercase and lowercase letters).iii. The score for
"abAB99!!"
would be {% math %}2 \cdot 5 = 10{% endmath %} because the length criteria and the other 4 criteria are met.
Subtracting Points
Category | Points | Notes | |
---|---|---|---|
1. | Only letters | is the length of the password | |
2. | Only digits | is the length of the password | |
3. | Consecutive uppercase letters | is the number of uppercase letters that follow another uppercase letter | |
4. | Consecutive lowercase letters | is the number of lowercase letters that follow another lowercase letter | |
5. | Consecutive digits | is the number of digits that follow another digit |
Table 2. Negative criteria for password strength.
The following are additional details and examples of the criteria for subtracting points.
Letters Only: the score is for a password that consists of letters only, otherwise it is . For example:
a. The score for
"ab453"
would be since it contains letters and numbers.b. The score for
"Barrunto"
would be since it only contains letters and its length is .Digits Only: the score is for a password that consists of digits only, otherwise it is . For example:
a. The score for
"ab453"
would be since it contains only letters and numbers.b. The score for
"987987987"
would be since it contains only digits and its length is .Consecutive Uppercase Letters: the score is where is the number of uppercase letters that follow another uppercase letter. For example,
a. the score for
"DB453"
would be since it only contains one uppercase letter (B
) that follows another uppercase letter.b. the score for
"TNS1PBMA"
would be since it contains 5 uppercase letters (N
,S
,B
,M
,A
) that follow another uppercase letter.Consecutive Lowercase Letters: the same as for criteria #3, but for lowercase letters.
Consecutive Digits: the same as for criteria #3, but for digits.
"@uasimodo"
for the criteria of lowercase letters.
"@uasimodo"
does not consist of only lowercase letters, its score for the criteria of *lowercase letters should be .
"@uas1m@do"
for the criteria of symbols?
"@uas1m@do"
contains 2 symbols, its score for the criteria of symbols should be .
"@uasimodo"
for the criteria of only letters.
"@uasimodo"
does not consist of letters only, its score for the criteria of *only letters should be 0.
"QQ2HMIJOX"
for the criteria of consecutive uppercase letters.
"QQ2HMIJOX"
has 6 uppercase letters (Q
, M
, I
, J
, O
, X
) that follow another lowercase letter. Therefore its score for the criteria of consecutive uppercase letters should be -12.
@
in the center of the string. For example, "j@j"
and "bc@de"
would receive the bonus. Which would be the adequate way of implementing this score?
passwd.length() % 2 == 1
. Since in C++ the 1
is interpreted as true, it is enough to put passwd.length() % 2
. The second condition is verified by determining if the character that is in the position passwd.length() / 2
is a @
. This is achieved with passwd[ passwd.length() / 2 ] == ‘@’
.
Laboratory Session:
In this laboratory experience you will practice the use of mathematical expressions and selection structures to compute the score for the strength of a password combining the points for the individual criteria.
Your task is to complete the design of the application to measure the strength of a password. When done, you will obtain a simplified version of the application in http://www.passwordmeter.com. Since there isn't an official system to measure passwords, the formulas created by "passwordmeter" will be used to evaluate the general strength of a given password. The application will allow users to enter a password and calculate its strength using a series of rules.
The strength of the password will be quantified by adding points for using good password selection techniques (like combining symbols and letters) and subtracting points for using bad habits (like using only uppercase letters or consecutive symbols of the same type). Your program will analyze the password given by the user and use the criteria in the tables presented above to compute a score for the password's strength.
Once the application is complete, it will show a window where, as the password characters are entered, the partial score will be displayed. This graphical interface will offer the user a way to improve his password and correct typical weak password habits.
Exercise 1 - Familiarize Yourself with the Pre-defined Functions
The first step in this laboratory experience is to familiarize yourself with the functions that are pre-defined in the code. You will call these functions as part of your own code to compute the score of the various password strength criteria.
Instructions
Load the project
PasswordStrength
intoQtCreator
. There are two ways to do this:- Using the virtual machine: Double click the file
PassworStrength.pro
located in the folder/home/eip/labs/selections-passwordstrength
of your virtual machine. - Downloading the project’s folder from
Bitbucket
: Use a terminal and write the commandgit clone http:/bitbucket.org/eip-uprrp/selections-passwordstrength
to download the folderselections-passwordstrength
fromBitbucket
. Double click the filePassworStrength.pro
located in the folder that you downloaded to your computer.
- Using the virtual machine: Double click the file
Configure the project. The project consists of several files. You will only write code in the file
readpassword.cpp
. You should not make any changes in the other files. Despite this, you should familiarize yourself with the functions that are already defined in them, since you will be using some of them to create your code.psfunctions.cpp
: contains the implementations of some of the functions that will invoke in your program to calculate the score for the password's strength. You do not have to change anything in this file or in the filepsfunctions.h
. Simply invoke the functions as necessary from thereadPass
function in thereadpassword.cpp
file. Note that the function names tell you what the functions do.psfunctions.h
: contains the prototypes for the functions defined inpsfunctions.cpp
.
Exercise 2 - Understand the Functions to Update the User's Graphical Interface.
In the laboratory exercise you will write code to calculate the score associated to each one of the criteria in the tables for adding and subtracting points shown above. These scores should be updated in the user's graphical interface that is shown in Figure 1.
Figure 1. User graphical interface for Password strength project.
There are predefined functions that update the graphical interface. For the application to work properly, each time that your code computes the score that is given for each criteria you should invoke the function to update that particular criteria in the graphical interface. The functions to update the criteria have the following syntax:
void setCRITERIA(int count, int score) ;
where CRITERIA should be replaced by the criteria that is being evaluated. Observe that the function requires two arguments: the count, that is the amount of characters that meet the criteria, and the score, that is the calculation that you will implement following the tables presented above. For example:
count = pass.length() ;
score = 4 * count ;
setNumberOfCharacters(count, score);
totalScore += score ;
In the above code count
contains the number of characters in the password, score
contains the computation for the score of the criteria for the number of characters, and setNumberOfCharacters(count, score);
invokes the function to update the corresponding information for the criteria "Number of characters" in the graphical interface.
The functions to update the graphical interface are:
// To update the password's length.
void setNumberOfCharacters(int count, int score) ;
// For adding points
// To update the uppercase characters.
void setUpperCharacters(int count, int score) ;
// To update the lowercase characters.
void setLowerCharacters(int count, int score) ;
// To update the characters that are digits.
void setDigits(int count, int score) ;
// To update the characters that are symbols.
void setSymbols(int count, int score) ;
// To update the digits or symbols in the middle
void setMiddleDigitsOrSymbols(int count, int score) ;
// To update the criterium of the requisites
void setRequirements(int count, int score) ;
// For subtracting points
// To update the criterium of only letters.
void setLettersOnly(int count, int score) ;
// To update the criterium of only digits.
void setDigitsOnly(int count, int score) ;
// To update the criterium of consecutive uppercase letters.
void setConsecutiveUpper(int count, int score) ;
// To update the criterium of consecutive lowercase letters.
void setConsecutiveLower(int count, int score) ;
// To update the criterium of consecutive digits.
void setConsecutiveDigits(int count, int score) ;
Exercise 3 - Compute the Score for the Criteria and the Total Score for the Password
The code that we're providing you contains the functions that compute the count for the majority of the criteria and whose names reflect what they do and what the function returns. For example, countUppercase
, return the number of characters that are uppercase letters.
You can find a list and description of the functions in this link.
Your task is to use mathematical expressions and decision structures for the individual criteria scores and combine them to compute the total score for the password's strength.
Example 1:
Figure 2. Window with the report for the password caba77o
.
Example 2:
Figure 3. Window with the report for the password S1nf@nia!
.
In Example 2, the number of requisites is 5 because "S1nf@nia!"
meets the criteria for length and also contains uppercase letters, lowercase letters, numbers and symbols. Therefore, the score for the number of requisites is .
In the project's code you will find examples of how to calculate the first two positive criteria: the number of characters in the password and the numbers of uppercase letters. You can compile and execute the example so you can see the working interface with these two criteria. Part of your task is to add the code to compute the score for the remaining criteria. Remember that you should accumulate the total score and invoke the functions to update the graphical interface.
Exercise 4 - Determine and Display the Password's Strength
The user will input the password in the top section of the graphical interface. Below appears the report that contains the different criteria, the count for each criteria, and the individual score for the criteria. This report will be updated as the user inputs the password's characters. The total score will be the sum of all of the points (addition and subtraction) of the individual criteria.
Based on the total score, the program will classify the password's strength as follows:
Total score | Strength |
---|---|
[0,20) | Very weak |
[20,40) | Weak |
[40,60) | Good |
[60,80) | Strong |
[80,100] | Very strong |
The provided code already invokes the strengthDisplay
function with the strength calculated and the total score to update the classification, and the bar that indicates the password's strength in the graphical interface.
Deliverables
Use "Deliverable" in Moodle to upload the readpassword.cpp
file that contains the code with the computation for the score of the individual criteria, the final score, the function calls to update the graphical interface, the password's classification and the displayed functions. Remember to use good programming techniques, include the name of the programmers involved, and document your program.
References
[1] Passwordmeter, http://www.passwordmeter.com/