Re: Optimisation missing
"Since it's doing substring matching there's no need to include both "poof" and "poofter", "shit" and "shite" etc. (Incidentally there are several three-letter strings there which will also match all sorts of innocuous stuff)"
Actually, El Reg's report has that a little wrong. In the article, they've said:
"And while we're forced to agree that “bollocks” is far too weak a word to use as a password, the code is clear that you can't even use bollocks within a password: if (password.match(/\s+/g,'')) then you'll get marked down."
Well, that quoted line:
if (password.match(/\s+/g,''))
Is actually checking for whitespace.
The list of naughty words is done next, by first putting them in an array (badpassarray) and then turning that array into a single string, with each word separated by a vertical bar:
var re = new RegExp(badPassArray.join("|"), "i");
It's then using this:
return(pwd.match(re) != null);
To return true if the password is contained in the list, false if it isn't.
(So it is checking for substrings, but in exactly the opposite way that the report says. AFAICS. So 'scunthorpe' is a perfectly acceptable password to that bunch of silly scunthorpes at Virgin Media.)
Biting the hand that feeds IT
