Password strength meter

Stefan Winter mail at
Sat Oct 30 09:58:02 BST 2004


> > This computation should be fast... but is it relevant enough? Should we
> > add  checks against a dictionnary? (ok would be far slower...
> It would still be an acceptable delay from the user's point of view. 
> agrep'ing against a dictionnary is pretty fast.

A real dictionary check is not a sufficient solution in my opinion. Users 
sometimes write two words as one to have a non-dictionary word. This does 
increase security for sure, but not very much. Think of the password 
"coolpass" or something like that. A dictionary check wouldn´t discover it as 
lousy, but it sure is (especially since cracker tools sometimes try exactly 
this: combining multiple words of their dictionary).
My thoughts go in the direction of a real simple heuristics that detects 
anything that is "close to" a word. I'd say check for "is it a series of 
letters that has no more than 4 consonants in a row with vowels between". 
Faster than grepping and it would detect "coolpass", "damnloud" and the like.
The count of four is a bit arbitrary and just an estimate of mine (I was 
thinking of the word "Schwert" (sword) in German, which is a real dictionary 
word and really should be detected. There might be longer serieses (?) of 
consonants, then the value should be higher.


Stefan Winter

This mail is guaranteed to be virus free because it was sent from a computer 
running Linux.

More information about the kde-core-devel mailing list