Re: Password Quality checker

---

• From: "Steven" <steven@xxxxxxxxxxxxx>
• Date: Wed, 27 Dec 2006 23:40:29 -0500 (EST)

---

I would suggest a simple JavaScript or similar implementation that checks
for the complexity you are looking for. On our web apps at work it
doesn't let them submit the format to change their password unless it
meets the correct complexity requirements (min 8 chars and mix of
lowercase,uppercase,special character,numeric -- some even check the last
10 passwords to ensure no-reuse).

You would want to implement something like this from when a user is first
given an account. When they login they should be forced to change their
password and the script will not let them update and/or login until they
have met the proper complexity requirements.

Steven

Hello Nic,

Thanks for the reply. I was looking for a tool for users to check
whether the passwords they choose meet the organization's policy. Not
a tool to test the strength of the existing passwords. Most likely a
web portal for them to enter the "potential" password, and the portal
will determine whether it meets the standards.

Rgds,
JW

At 08:48 AM 26/12/2006, Nic Stevens wrote:

You cannot check the quality of "Unix/Linux" passwords as it's a
one-way encryption so it must be done at the time the user (or
admin) sets the password. With PAM based authentication on *nix
there are ways of enforcing stronger passwords standards than the
default.
As far as Windows goes I have no experience with security.

-Nic


Johnny Wong wrote:

Hello all,

I was wondering if your organization deploys any password quality
checking tool to help users select policy-compliant passwords? Be
it web-based or client based. I am thinking what type of
requirements do you use to select such tools, and what are the
examples out there?

My thoughts:
1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with Windows
GPO)
3) It should also work with Unix/Linux passwords

Thanks,
JW

--
Captiain! We've been hit. The only damage so far is the self-destruct
mechanism which, apparently has destroyed itself.

!DSPAM:4593121f219189632259165!

---

• References:
  • Password Quality checker
    • From: Johnny Wong
  • Re: Password Quality checker
    • From: Johnny Wong

• Prev by Date: RE: Restrict Access to Shared Folder with Encryption Key Rather than Password
• Next by Date: Re: Tracking down anonymous user
• Previous by thread: Re: Password Quality checker
• Next by thread: Re: Password Quality checker
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Passwords ... > the complexity requirements. ... > of passwords that no user can use. ... >>MVP for Windows Server - Software Distribution ... (microsoft.public.windows.server.general) Re: Passwords too complex on Server 2003 ... You can't disable the GPO Default Domain Policy to disable complexity ... passwords, within this policy you have set a setting to disable complexity ... (microsoft.public.win2000.active_directory) Re: Reasons and examples for security ... setting pwd length large enough to literally force passphrase use. ... of complexity). ... >> otherwise compromised passwords by invalidating them. ... >>> I am looking for examples to support my case for tighter security. ... (microsoft.public.security) Re: Linking Password Length to Write-down probability ... I think it would be hard to link writing down passwords to just the ... > and outrageous complexity requirements) as The Solution. ... > 8 character passwords with moderate complexity requirements are VERY ... (Security-Basics) Re: Passwords ... of passwords that no user can use. ... >can tie the complexity with other available options, ... >> How do you modify the parameters for password policies? ... I chose to use the complexity requirements ... (microsoft.public.windows.server.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)