Skip to content

Commit 3f7a86d

Browse files
remibergsmaremibergsma
committed
Merge pull request #1058 from greenqloud/pr/password_security
Shuffling the password to avoid having a subset of characters in fixed positions.Related to CLOUDSTACK-9052. I am shuffling the characters in the password, to avoid having a certain char type in fixed positions. I modified the tests accordingly to only check that the different character types are present. I think it would be good to remove the hard requirement to have at least one of digits, upper-case, and lowercase chars, as it reduces the number of possible combinations passwords can take. What do you think? * pr/1058: CLOUDSTACK-9052 Shuffling the password to avoid having a subset of characters in fixed positions. Signed-off-by: Remi Bergsma <github@remi.nl>
2 parents 7a77ddc + 52ccfaa commit 3f7a86d

2 files changed

Lines changed: 48 additions & 16 deletions

File tree

utils/src/main/java/com/cloud/utils/PasswordGenerator.java

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@
2020
package com.cloud.utils;
2121

2222
import java.security.SecureRandom;
23+
import java.util.ArrayList;
24+
import java.util.Collections;
25+
import java.util.List;
2326
import java.util.Random;
2427

2528
/**
@@ -48,14 +51,19 @@ public static String generateRandomPassword(int num) {
4851
password.append(generateAlphaNumeric(r));
4952
}
5053
} else {
51-
// Generate random 3-character string with a lowercase character,
52-
// uppercase character, and a digit
53-
password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r));
54-
55-
// Generate a random n-character string with only lowercase
56-
// characters
57-
for (int i = 0; i < num - 3; i++) {
58-
password.append(generateLowercaseChar(r));
54+
List<Character> passwordChars = new ArrayList<Character>();
55+
passwordChars.add(generateLowercaseChar(r));
56+
passwordChars.add(generateUppercaseChar(r));
57+
passwordChars.add(generateDigit(r));
58+
59+
for (int i = passwordChars.size(); i < num; i++) {
60+
passwordChars.add(generateAlphaNumeric(r));
61+
}
62+
63+
Collections.shuffle(passwordChars, new SecureRandom());
64+
65+
for (char c : passwordChars) {
66+
password.append(c);
5967
}
6068
}
6169

@@ -87,4 +95,5 @@ public static String generatePresharedKey(int numChars) {
8795
return psk.toString();
8896

8997
}
98+
9099
}

utils/src/test/java/com/cloud/utils/PasswordGeneratorTest.java

Lines changed: 31 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,36 @@ public void generateRandomPassword() {
3030
Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 3);
3131
Assert.assertTrue(PasswordGenerator.generateRandomPassword(5).length() == 5);
3232
String password = PasswordGenerator.generateRandomPassword(8);
33-
// TODO: this might give more help to bruteforcing than desired
34-
// the actual behavior is that the first character is a random lowercase
35-
// char
36-
Assert.assertTrue(Character.isLowerCase(password.charAt(0)));
37-
// the second character is a random upper case char
38-
Assert.assertTrue(Character.isUpperCase(password.charAt(1)));
39-
// and the third is a digit
40-
Assert.assertTrue(Character.isDigit(password.charAt(2)));
33+
34+
Assert.assertTrue(containsDigit(password));
35+
Assert.assertTrue(containsLowercase(password));
36+
Assert.assertTrue(containsUppercase(password));
37+
}
38+
39+
private boolean containsUppercase(String password) {
40+
for (char c : password.toCharArray()) {
41+
if (Character.isUpperCase(c)) {
42+
return true;
43+
}
44+
}
45+
return false;
46+
}
47+
48+
private boolean containsLowercase(String password) {
49+
for (char c : password.toCharArray()) {
50+
if (Character.isLowerCase(c)) {
51+
return true;
52+
}
53+
}
54+
return false;
55+
}
56+
57+
private boolean containsDigit(String password) {
58+
for (char c : password.toCharArray()) {
59+
if (Character.isDigit(c)) {
60+
return true;
61+
}
62+
}
63+
return false;
4164
}
4265
}

0 commit comments

Comments
 (0)