FileBasedAuthenticator should ensure user does not have password set equal to their username

[GoogleCodeExporter]

It appears that no method within
org.owasp.esapi.reference.FileBasedAuthenticator class ensures that when a
user is created or updated, that their password is not the same as their
username.

For example, if a username is created MarcinIsNumber1!, the user can still
set their password to the same value as it would still pass the
verifyPasswordStrength check.

Solution:  Add a check to validate user's password is not equal to their
username.

Original issue reported on code.google.com by marcin.w...@gmail.com on 10 Feb 2010 at 3:09

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:38

• Added labels: Milestone-Release2.0

[GoogleCodeExporter]

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:59

• Changed state: Accepted

[GoogleCodeExporter]

Made update to add another small private method called from wherever 
verifyPasswordStrength is called that validates the password != account name.  
Made a separate method to not break the existing public verifyPasswordStrength 
api, especially since the api is intended to change soon to be based on 
credential, not just username/password.  Also added test to AuthenticatorTest 
to verify change worked, and reran all tests - all passed.

Original comment by jtmel...@gmail.com on 4 Nov 2010 at 3:29

• Changed state: Fixed

[GoogleCodeExporter]

Based on recommendation of team, went back, removed method mentioned above, and 
changed verifyPasswordStrength method signature to add a User object as an arg. 

See http://code.google.com/p/owasp-esapi-java/source/detail?r=1656

Original comment by jtmel...@gmail.com on 17 Nov 2010 at 4:28