brianr/StandalonePasswordChange
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
StandalonePasswordChange/python-flask/smeserver-password-app/README.md

10 KiB
Raw Permalink Blame History

Corrected SME Server Password Change Application

Overview

A corrected Python Flask web application for SME Server password management that uses the proper database structure and external zxcvbn password validation library.

Corrections Made

🔧 Correct Database Structure

The application now properly reads from the actual SME Server passwordstrength configuration:

passwordstrength=configuration
    Admin=strong
    Ibays=strong  
    Users=strong

Previous (Incorrect): passwordstrength.Passwordstrength
Current (Correct): passwordstrength.Users, passwordstrength.Admin, passwordstrength.Ibays

📚 External Password Validation Library

  • Library: zxcvbn-python 4.4.28 - Industry-standard password strength estimation
  • Features: Advanced pattern detection, dictionary attacks, keyboard patterns, common passwords
  • Fallback: Basic validation when zxcvbn is not available

🔒 Features

🎯 Configurable Password Strength Validation

  • Three Account Types: Users, Admin, Ibays (separate configuration)
  • Three Strength Levels: None, Normal, Strong
  • Database Driven: Reads actual SME Server configuration
  • Real-time Validation: Instant feedback with zxcvbn scoring

Password Strength Levels:

  • None: Basic validation only
  • Normal: 12+ characters with uppercase, lowercase, number, and special character
  • Strong: Normal requirements + zxcvbn advanced validation against:
    • Common passwords (10k+ database)
    • Keyboard patterns (qwerty, 123456, etc.)
    • Dictionary words and names
    • Repeated sequences and patterns
    • Contextual analysis (username, etc.)

👁️ Password Visibility Toggles

  • Show/Hide buttons for all password fields
  • Dynamic text changes (Show ↔ Hide)
  • Secure implementation with proper clearing

📊 Real-time Password Strength Indicator

  • zxcvbn Scoring: Professional 0-4 scale (Very Weak → Strong)
  • Detailed Feedback: Specific suggestions from zxcvbn
  • Color-coded Display: Visual strength indication
  • Live Updates: Changes as user types

⚙️ Admin Configuration Panel

  • Separate Controls: Users, Admin, Ibays password strength
  • Web Interface: Easy configuration at /admin
  • Live Updates: Changes apply immediately
  • Visual Feedback: Clear current setting display

🧪 Technical Specifications

Compatibility

  • Python 3.6.8 - Fully compatible (no f-strings)
  • Flask 2.0.3 - Tested and verified
  • SME Server Integration - Correct database structure
  • zxcvbn Library - External validation with fallback

Dependencies

Flask==2.0.3
Flask-CORS==3.0.10
Werkzeug==2.0.3
zxcvbn==4.4.28

Database Integration

# Correct database reads
config_db.get_password_strength_setting('Users')   # passwordstrength.Users
config_db.get_password_strength_setting('Admin')   # passwordstrength.Admin  
config_db.get_password_strength_setting('Ibays')   # passwordstrength.Ibays

🚀 Installation

Quick Install

# Extract and install
tar -xzf smeserver-password-app-corrected.tar.gz
cd smeserver-password-app-corrected
sudo ./install.sh

Manual Installation

# Install dependencies (including zxcvbn)
pip3 install -r requirements.txt

# Copy to system directory
sudo cp -r . /opt/smeserver-password-app-corrected/

# Create and start service
sudo systemctl enable smeserver-password-corrected
sudo systemctl start smeserver-password-corrected

🎯 Usage

User Interface

  1. Access: http://your-server:5000
  2. Enter Credentials: Username and current password
  3. Set New Password: With real-time zxcvbn feedback
  4. Toggle Visibility: Use Show/Hide buttons

Admin Configuration

  1. Access Admin Panel: http://your-server:5000/admin
  2. Configure Each Type: Users, Admin, Ibays separately
  3. Select Strength Level: None, Normal, or Strong
  4. Apply Changes: Updates apply immediately

Database Configuration

# View current settings (correct structure)
db configuration show passwordstrength

# Set password strength levels
db configuration setprop passwordstrength Users strong
db configuration setprop passwordstrength Admin strong
db configuration setprop passwordstrength Ibays normal

# Verify changes
db configuration show passwordstrength

🔍 zxcvbn Validation Examples

Normal Strength (12+ chars, complexity)

  • MySecure123! - Valid
  • password123 - Missing uppercase and special char
  • MySecure! - Too short (less than 12 chars)

Strong Strength (Normal + zxcvbn validation)

  • MyUniqueP@ssw0rd2024 - Valid (zxcvbn score: 4/4)
  • MyPassword123! - Contains common word "Password" (zxcvbn score: 1/4)
  • Qwerty123456! - Keyboard pattern detected (zxcvbn score: 0/4)
  • MySecure123123! - Repeated sequence detected (zxcvbn score: 2/4)
  • testuser123! - Contains username "testuser" (zxcvbn score: 1/4)

🧪 Testing

Demo Mode

# Start demo application with zxcvbn
python3 demo_mode.py

# Access demo at http://localhost:5003
# Demo users: testuser/oldpassword123, admin/adminpass456, john/johnpass789

API Endpoints

  • POST /api/password-strength - Real-time zxcvbn validation
  • GET/POST /api/password-config - Manage strength settings for all account types
  • GET /health - Application health check with zxcvbn status
  • GET /demo-info - Demo mode information

📁 File Structure

smeserver-password-app-corrected/
├── app.py                    # Main Flask application (corrected)
├── smeserver_utils.py        # Corrected SME Server utilities
├── demo_mode.py             # Demo with correct DB structure
├── requirements.txt         # Dependencies including zxcvbn
├── install.sh              # Corrected installation script
├── templates/
│   ├── password_change.html # Enhanced password form
│   └── admin_panel.html     # Multi-account-type admin panel
├── static/
│   └── css/
│       └── style.css       # Enhanced styling
└── README.md               # This documentation

🔧 Configuration Examples

Database Structure Verification

# Check current structure
db configuration show passwordstrength

# Expected output:
# passwordstrength=configuration
#     Admin=strong
#     Ibays=strong
#     Users=strong

# Individual property access
db configuration getprop passwordstrength Users    # strong
db configuration getprop passwordstrength Admin    # strong
db configuration getprop passwordstrength Ibays    # strong

Strength Level Configuration

# Set different levels for different account types
db configuration setprop passwordstrength Users strong    # Users need strong passwords
db configuration setprop passwordstrength Admin strong    # Admins need strong passwords  
db configuration setprop passwordstrength Ibays normal    # Ibays use normal strength

# Apply configuration (if needed)
signal-event password-policy-update

🛡️ Security Features

zxcvbn Advanced Protection

  • 10,000+ Common Passwords: Blocked automatically
  • Keyboard Pattern Detection: qwerty, 123456, asdf, etc.
  • Dictionary Attack Protection: English words, names, places
  • Contextual Analysis: Considers username and personal info
  • Sequence Detection: Repeated patterns like "123123" or "abcabc"
  • Substitution Awareness: Detects "p@ssw0rd" style substitutions

Secure Implementation

  • Password Masking: Default hidden with optional visibility
  • Memory Clearing: Passwords cleared on page load
  • Input Validation: Server-side validation for all inputs
  • Error Handling: Secure error messages without information leakage

🔄 Migration from Previous Version

Database Structure Changes

  • Old: Single Passwordstrength property
  • New: Separate Users, Admin, Ibays properties
  • Migration: Automatic detection and warning if structure is incorrect

New Features Added

  • zxcvbn Integration: Professional password validation
  • Multi-Account Support: Separate settings for Users/Admin/Ibays
  • Enhanced Feedback: Detailed zxcvbn suggestions
  • Improved Admin Panel: Separate controls for each account type

🐛 Troubleshooting

Common Issues

  1. zxcvbn Not Available: Application falls back to basic validation
  2. Database Structure: Warns if passwordstrength structure is incorrect
  3. Permission Issues: Ensure proper file ownership and permissions
  4. Port Conflicts: Check if port 5000 is available

Debug Commands

# Check service status
systemctl status smeserver-password-corrected

# View logs
journalctl -u smeserver-password-corrected -f

# Test database connectivity
db configuration show passwordstrength

# Verify zxcvbn installation
python3 -c "import zxcvbn; print('zxcvbn available')"

# Test password validation
curl -X POST http://localhost:5000/api/password-strength \
  -H "Content-Type: application/json" \
  -d '{"password":"test123","username":"testuser"}'

📈 Performance

zxcvbn Performance

  • Memory Usage: ~60MB typical (includes zxcvbn dictionary)
  • Validation Speed: ~10-50ms per password check
  • Dictionary Size: ~30MB compressed password data
  • CPU Impact: Minimal for typical usage patterns

Optimizations

  • Client-side Caching: Password strength settings cached
  • Efficient Validation: zxcvbn optimized for real-time use
  • Minimal Dependencies: Only essential packages included
  • Database Caching: SME Server settings cached appropriately

📞 Support

Features Verified

  • Correct SME Server database structure (Users/Admin/Ibays)
  • External zxcvbn password validation library
  • Password visibility toggles for all fields
  • Real-time strength checking with zxcvbn feedback
  • Multi-account-type admin panel
  • Python 3.6.8 compatibility (no f-strings)
  • SME Server integration with proper signal-event calls
  • Professional password security with industry-standard validation

This corrected version provides enterprise-grade password management with the proper SME Server database integration and professional zxcvbn validation library.