bugfix: remove substitution and limit insertion

Fixes several bugs with finders by removing substitution finder (the leet speek finder is sufficient and limiting the insertion finder to 20% of the word.  Fixes: #33, #29, #26,

core/src/main/java/org/owasp/passfault/dictionary/InsertionStrategy.java

@@ -27,6 +27,7 @@
 public class InsertionStrategy implements DictionaryStrategy {
 
   public final static String NAME = "INSERTION";
+  private static final double SIZE_RATIO = 0.20; //no more thn 20% of the word can be special characters
 
   @Override
   public String getName() {
@@ -45,7 +46,7 @@ public InsertionStrategy(int allowedDifferences) {
 
   @Override
   public List<CandidatePattern> buildNextSubStrings(CandidatePattern subs, char c) {
-    LinkedList<CandidatePattern> list = new LinkedList<CandidatePattern>();
+    LinkedList<CandidatePattern> list = new LinkedList<>();
     InsertionContext context = subs.getDecorator(InsertionContext.class);
     if (context!=null){
       context.currentChar = c;
@@ -90,7 +91,8 @@ public boolean isMatch(CandidatePattern candidate) {
     } else {
       return (Character.isLetter(context.currentChar)) &&
           (context.count > 0) &&
-          (context.count <= this.allowedExtraCharacters);
+          (context.count <= this.allowedExtraCharacters) &&
+        ((double)context.count / candidate.getLength() < SIZE_RATIO);
     }
   }
 

core/src/main/java/org/owasp/passfault/dictionary/SubstitutionStrategy.java

@@ -13,15 +13,16 @@
 
 package org.owasp.passfault.dictionary;
 
+import org.owasp.passfault.RandomPattern;
+
 import java.util.LinkedList;
 import java.util.List;
 
-import org.owasp.passfault.RandomPattern;
-
 /**
  * SubstitutionStrategy defines a matching strategy where letters in a word
  * can be substituted by a special character or number.  
  * @author cam
+ * @deprecated this is replaced by the leet-substitution pattern finder and will likely be removed.
  */
 public class SubstitutionStrategy implements DictionaryStrategy {
 

core/src/main/java/org/owasp/passfault/dictionary/l337SubstitutionStrategy.java

@@ -105,7 +105,7 @@ public List<CandidatePattern> buildNextSubStrings(CandidatePattern subs, char c)
         //add the candidate for the next round
         list.add(newsubs);
 
-        //addvance the character in the context
+        //advance the character in the context
         l337Context newContext = newsubs.getDecorator(l337Context.class);
         char candidateLeetChar = newContext.currentLeetChar.normalChar;
         newContext.nextChar(c);

core/src/test/java/org/owasp/passfault/BuildFinders.java

@@ -58,7 +58,7 @@ public static ParallelFinder build(String baseResourcePath) throws IOException {
    * @deprecated This is a good place to replace with some dependency injection
    */
   public static Collection<PatternFinder> buildDictionaryFinders(String name, InputStream in) throws IOException {
-    List<PatternFinder> finders = new LinkedList<PatternFinder>();
+    List<PatternFinder> finders = new LinkedList<>();
 
     try {
       Reader dbWords = new InputStreamReader(in);
@@ -67,7 +67,6 @@ public static Collection<PatternFinder> buildDictionaryFinders(String name, Inpu
       finders.add(new DictionaryPatternsFinder(diction, new ExactWordStrategy()));
       finders.add(new DictionaryPatternsFinder(diction, new MisspellingStrategy(1)));
       finders.add(new DictionaryPatternsFinder(diction, new InsertionStrategy(2)));
-      finders.add(new DictionaryPatternsFinder(diction, new SubstitutionStrategy(1)));
       finders.add(new DictionaryPatternsFinder(diction, new l337SubstitutionStrategy()));
       finders.add(new ReverseDictionaryPatternFinder(diction, new ExactWordStrategy()));
     } catch (IOException ioe) {

core/src/test/java/org/owasp/passfault/dictionary/AugmentationFinderText.java → core/src/test/java/org/owasp/passfault/dictionary/InsertionFinderTest.java

@@ -19,70 +19,69 @@
 
 import static org.junit.Assert.assertEquals;
 
-public class AugmentationFinderText {
+public class InsertionFinderTest {
 
   private static DictionaryPatternsFinder finder;
 
   @BeforeClass
   public static void setUpBeforeClass() throws Exception {
     FileDictionary dictionary = FileDictionary.newInstance(TestWords.getTestFile(), "tiny-lower");
-    finder = new DictionaryPatternsFinder(dictionary, new InsertionStrategy(1));
+    finder = new DictionaryPatternsFinder(dictionary, new InsertionStrategy(5));
   }
 
   @Test
-  public void plain() throws Exception {
-    System.out.println("findWord");
-    MockPasswordResults p = new MockPasswordResults("wisp");
+  public void plain2() throws Exception {
+    MockPasswordResults p = new MockPasswordResults("trouble");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
-  public void numbersInFront() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("1wisp");
+  public void plain() throws Exception {
+    MockPasswordResults p = new MockPasswordResults("wisp");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
-  public void numbersInBack() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("wisp1");
+  public void findWord() throws Exception {
+    MockPasswordResults p = new MockPasswordResults("trou$ble");
     finder.analyze(p);
-    assertEquals(0, p.getPossiblePatternCount());
+    assertEquals(2, p.getPossiblePatternCount());
   }
 
   @Test
-  public void findWord() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("wi3sp");
+  public void tooMany() throws Exception {
+    MockPasswordResults p = new MockPasswordResults("t$r$o$u$b$l$e");
     finder.analyze(p);
-    assertEquals(1, p.getPossiblePatternCount());
+    assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
   public void garbageInFront() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("xxxxwi6sp");
+    MockPasswordResults p = new MockPasswordResults("xxxxtrou-ble");//wasp, asp, wisp, was
     finder.analyze(p);
-    assertEquals(1, p.getPossiblePatternCount());
+    assertEquals(2, p.getPossiblePatternCount());
   }
 
   @Test
   public void garbageInBack() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("wi1spxxxx");
+    MockPasswordResults p = new MockPasswordResults("troub!lexxxx");//wasp, asp, wisp, was
     finder.analyze(p);
-    assertEquals(1, p.getPossiblePatternCount());
+    assertEquals(2, p.getPossiblePatternCount());
   }
 
   @Test
   public void findNonWord() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("qqq");
+    MockPasswordResults p = new MockPasswordResults("qqq123");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
   public void findMultiWords() throws Exception {
-    MockPasswordResults p = new MockPasswordResults("wi3spwi3sp");
+    MockPasswordResults p = new MockPasswordResults("tr-oubletro+uble");//wasp, asp, wisp, was *2
     finder.analyze(p);
-    assertEquals(2, p.getPossiblePatternCount());
+    assertEquals(4, p.getPossiblePatternCount());
   }
 }

core/src/test/java/org/owasp/passfault/dictionary/SubstitutionFinderTest.java

@@ -34,65 +34,55 @@ public static void setUpBeforeClass() throws Exception {
 
   @Test
   public void plain2() throws Exception {
-    System.out.println("findWord");
     MockPasswordResults p = new MockPasswordResults("password");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
   public void plain() throws Exception {
-    System.out.println("findWord");
     MockPasswordResults p = new MockPasswordResults("wisp");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
   public void findWord() throws Exception {
-    System.out.println("findWord");
     MockPasswordResults p = new MockPasswordResults("w1sp");//wasp, asp, wisp, was
     finder.analyze(p);
     assertEquals(4, p.getPossiblePatternCount());
   }
 
   @Test
   public void garbageInFront() throws Exception {
-    System.out.println("garbageinfront");
     MockPasswordResults p = new MockPasswordResults("xxxxw1sp");//wasp, asp, wisp, was
     finder.analyze(p);
     assertEquals(4, p.getPossiblePatternCount());
   }
 
   @Test
   public void garbageInBack() throws Exception {
-
-    System.out.println("garbageinback");
     MockPasswordResults p = new MockPasswordResults("w1spxxxx");//wasp, asp, wisp, was
     finder.analyze(p);
     assertEquals(4, p.getPossiblePatternCount());
   }
 
   @Test
   public void findNonWord() throws Exception {
-    System.out.println("findNonWord");
-
     MockPasswordResults p = new MockPasswordResults("qqq123");
     finder.analyze(p);
     assertEquals(0, p.getPossiblePatternCount());
   }
 
   @Test
   public void findMultiWords() throws Exception {
-    System.out.println("findMultiWords");
     MockPasswordResults p = new MockPasswordResults("w1spw1sp");//wasp, asp, wisp, was *2
     finder.analyze(p);
     assertEquals(8, p.getPossiblePatternCount());
   }
 
   @Test
   public void testLength() throws Exception {
-    System.out.println("findMultiWords");
     MockPasswordResults p = new MockPasswordResults("runr&n");//run, ran,
     finder.analyze(p);
     List<PasswordPattern> patterns = p.getFoundPatterns();

jsonService/src/main/webapp/beta.html

@@ -11,12 +11,11 @@
 <div class="sign blue welcome center">
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
-		<div class="center"><img src="img/passfault-blue.png"></img></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
+		<div class="center"><img src="img/passfault-blue.png"/></div>
+        <div class="subWelcome">Do Passwords Better</div>
 	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>

jsonService/src/main/webapp/password_evaluation.html

@@ -13,11 +13,9 @@
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
 		<div class="center"><img src="img/passfault-blue.png"/></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
-	</div>
+        <div class="subWelcome">Do Passwords Better</div>	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>

jsonService/src/main/webapp/password_policy.html

@@ -15,11 +15,9 @@
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
 		<div class="center"><img src="img/passfault-blue.png"/></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
-	</div>
+        <div class="subWelcome">Do Passwords Better</div>	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>

jsonService/src/main/webapp/password_strength.html

@@ -74,11 +74,10 @@
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
 		<div class="center"><img src="img/passfault-blue.png"/></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
+		<div class="subWelcome">Do Passwords Better</div>
 	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>

jsonService/src/main/webapp/passwords.html

@@ -13,12 +13,11 @@
 <div class="sign blue welcome center">
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
-		<div class="center"><img src="img/passfault-blue.png"></img></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
+		<div class="center"><img src="img/passfault-blue.png"/></div>
+        <div class="subWelcome">Do Passwords Better</div>
 	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>

jsonService/src/main/webapp/welcome.txt

@@ -2,11 +2,10 @@
 	<div class="innerWelcome">
 		<div>Welcome to OWASP</div>
 		<div class="center"><img src="img/passfault-blue.png"></img></div>
-		<div class="subWelcome">Paving the road to</div>
-		<div class="subWelcome">secure passwords</div>
+		<div class="subWelcome">Do Passwords Better</div>
 	</div>
 </div>
-<div class="elevatorPitch">Because passwords can be less annoying, and more intuitive.</div>
+<div class="elevatorPitch">Because passwords can be less annoying</div>
 <div id="menu" class="navigation medium center">
 	<a href="passwords.html#menu"><div class="navsign green">What</div></a>
 	<a href="why.html#menu"><div class="navsign green">Why</div></a>