Password strength meter
Stefan Winter
mail at stefan-winter.de
Sat Oct 30 09:58:02 BST 2004
Hi!
> > This computation should be fast... but is it relevant enough? Should we
> > add checks against a dictionnary? (ok would be far slower...
>
> It would still be an acceptable delay from the user's point of view.
> agrep'ing against a dictionnary is pretty fast.
A real dictionary check is not a sufficient solution in my opinion. Users
sometimes write two words as one to have a non-dictionary word. This does
increase security for sure, but not very much. Think of the password
"coolpass" or something like that. A dictionary check wouldn´t discover it as
lousy, but it sure is (especially since cracker tools sometimes try exactly
this: combining multiple words of their dictionary).
My thoughts go in the direction of a real simple heuristics that detects
anything that is "close to" a word. I'd say check for "is it a series of
letters that has no more than 4 consonants in a row with vowels between".
Faster than grepping and it would detect "coolpass", "damnloud" and the like.
The count of four is a bit arbitrary and just an estimate of mine (I was
thinking of the word "Schwert" (sword) in German, which is a real dictionary
word and really should be detected. There might be longer serieses (?) of
consonants, then the value should be higher.
Greetings,
Stefan Winter
--
This mail is guaranteed to be virus free because it was sent from a computer
running Linux.
More information about the kde-core-devel
mailing list