Password strength meter

Simon Edwards simon at simonzone.com
Sat Oct 30 11:18:10 BST 2004


On Saturday 30 October 2004 10:58, Stefan Winter wrote:
> > > This computation should be fast... but is it relevant enough? Should we
> > > add  checks against a dictionnary? (ok would be far slower...
> > 
> > It would still be an acceptable delay from the user's point of view. 
> > agrep'ing against a dictionnary is pretty fast.
> A real dictionary check is not a sufficient solution in my opinion. Users 
> sometimes write two words as one to have a non-dictionary word.

Real dictionaries are woefully inadequate for this kind of job. You need to be 
comparing against 'real' password lists. Lists of things like people's names, 
sporting teams, car names etc etc etc.

To implement this feature half properly you would have to have a look at a 
real password cracker and see what it checks first. 1st round usually 
probably a check against the login name and account details. 2nd is typically 
a check against the wordlists. The following rounds are checking for things 
like leet-speak versions of the wordlists (pa55w0rd) etc, and the wordlists 
plus a number password100 etc.

The big question of course is, how much checking it enough? of too much? I 
personally think that only checking against /usr/share/dict/words provides a 
false sense of security. (especially considering family member names are not 
going to be on that list, for example).

cheers,

-- 
Simon Edwards             | Guarddog Firewall
simon at simonzone.com       | http://www.simonzone.com/software/
Nijmegen, The Netherlands | "ZooTV? You made the right choice."




More information about the kde-core-devel mailing list