Password strength meter
Simon Edwards
simon at simonzone.com
Sat Oct 30 11:18:10 BST 2004
On Saturday 30 October 2004 10:58, Stefan Winter wrote:
> > > This computation should be fast... but is it relevant enough? Should we
> > > add checks against a dictionnary? (ok would be far slower...
> >
> > It would still be an acceptable delay from the user's point of view.
> > agrep'ing against a dictionnary is pretty fast.
> A real dictionary check is not a sufficient solution in my opinion. Users
> sometimes write two words as one to have a non-dictionary word.
Real dictionaries are woefully inadequate for this kind of job. You need to be
comparing against 'real' password lists. Lists of things like people's names,
sporting teams, car names etc etc etc.
To implement this feature half properly you would have to have a look at a
real password cracker and see what it checks first. 1st round usually
probably a check against the login name and account details. 2nd is typically
a check against the wordlists. The following rounds are checking for things
like leet-speak versions of the wordlists (pa55w0rd) etc, and the wordlists
plus a number password100 etc.
The big question of course is, how much checking it enough? of too much? I
personally think that only checking against /usr/share/dict/words provides a
false sense of security. (especially considering family member names are not
going to be on that list, for example).
cheers,
--
Simon Edwards | Guarddog Firewall
simon at simonzone.com | http://www.simonzone.com/software/
Nijmegen, The Netherlands | "ZooTV? You made the right choice."
More information about the kde-core-devel
mailing list