[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Password scoring application wanted



> > Are there any off-line applications that score candidate passwords
> > - say by comparing to a dictionary, performing entropy estimates,
> > etc?  A numeric score would be better than an "accepted or rejected"
> > test.

Such programs exist. They are not hard to write, although they are easy
to write wrong.

> > Users should not be expected to invent new passwords on the spot,

Why not?

A certain class of users (happens to be the largest class) can't be
bothered with passwords, but that does not mean we should help them be
lazy.

> and
> > an application that they can run locally from CLI or GUI which scores
> > their attempts would help generate robust passwords.  Extra points if
> > the app. can be configured for the common types of password restrictions
> > (i.e., punctuation chars forbidden vs. punctuation chars mandatory),
> > or can coach users into generating (and remembering!) strong passwords.

And extra points if it prevents use of passwords too close to the
previous password(s), consults spelling dictionaries in several
languages and a cracker's dictionary or two, uses a good random source
when it generates random elements, asks the user for an initial phrase
to munge and allows the user to choose among several munging techniques,
etc. 

Yes, such things are available.

> > But I'll take what I can get.  The current practice of demanding and
> > testing passwords for immediate need is insecure and inhumane, and
> > "yes/no" acceptability testing is fascist and uninformative.  There
> > must be a better way.

(I want to point out that computers are fundamentally inhumane, but I'm
not sure that would help.)

> have you tried pwgen?  It's not exactly what you are asking for, but it's
> designed to create secure password that are still easy to memorize.

Why does the concept bug me? Why do I think that if it's machine
generated and easy to memorize it's going to be easy to brute force?

Anyway, helping the user at least set a password other than the typical
"password" sort of password will be sort of an improvement, at least for
a little while.

Sorry for the rant.

--
Joel Rees   <rees ddcom co jp>
digitcom, inc.   株式会社デジコム
Kobe, Japan   +81-78-672-8800
** <http://www.ddcom.co.jp> **


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]