Alex Moore
2006-Aug-04 06:40 UTC
[Rails] Password Strength Meter, Password Strength Validation
Has anyone seen or created a password strength meter, or password strength validator (like at hotmail''s sign up)? Examples would be great! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060804/14a94764/attachment.html
Jim Cheetham
2006-Aug-06 09:04 UTC
[Rails] Password Strength Meter, Password Strength Validation
On Fri, Aug 04, 2006 at 04:10:20PM +0930, Alex Moore wrote:> Has anyone seen or created a password strength meter, or password strength > validator (like at hotmail?s sign up)?There''s one in the KeePass program (http://keepass.sf.net) that''s open sourced; however I''m a little suspicious of it''s assumptions around the bit-length calculations, as it won''t be able to understand the effective size of the character-set used when generating a password. KeePass is a single-user GUI program, mainly for Windows (there''s a working unix port), but I''m sure you''ll be able to find the code segment they''ve used. Alternatively, figuring things out yourself and presenting your own calculation of password "strength" isn''t that difficult, once you figure out it''s all relative anyway. "password" *might* be a good password; it''s just 8 random characters from the alphabet - it''s a one in 26^8 (208827064576) chance you''ll guess it. Actually, if the password was selected from a set of upper-case, lower-case, numbers, punctuation and so on than it''s even stronger - (26+26+10+31)^8 So you see that you can''t actually say how good a password *is* per-se, but you can assume the worst and work backwards. Compare the password to a dictionary list - there are 96000 entries in /usr/share/dict/words on my Debian machine, if it matches one if those, it''s a terrible password. Then, how long is it? If it''s only 2 characters, it can''t be any good :-) If it consists only of lowercase letters, you could assume that is was selected from only lowercase letters (which might not be true), so rate it low. If it has upper, lower, numbers and punctuation in it, it was selected from a larger set of characters, so it might be better. If it is mandatory to use these four different character groups in a password, notice that this makes it potentially worse than one without a representative from each group, as long as they were all possible when the password was created. Have a look at http://diceware.com for an interesting passphrase generation system, that also lets you read more about some of the basic thinking behind things. Great fun! -jim, not really helping I guess.
Jodi Showers
2006-Aug-10 16:21 UTC
[Rails] Password Strength Meter, Password Strength Validation
Alex, you may want to check out ruby-password, http://raa.ruby-lang.org/project/ruby-password/ "Ruby/Password comprises a set of useful methods for creating, verifying and manipulating passwords. It includes an interface to CrackLib, a library commonly used for checking password strength. " I can''t vouch for it otherwise, but I am intending to evaluate it down the road. cheers, Jodi On 6-Aug-06, at 5:04 AM, Jim Cheetham wrote:> On Fri, Aug 04, 2006 at 04:10:20PM +0930, Alex Moore wrote: >> Has anyone seen or created a password strength meter, or password >> strength >> validator (like at hotmail?s sign up)? > > There''s one in the KeePass program (http://keepass.sf.net) that''s open > sourced; however I''m a little suspicious of it''s assumptions around > the > bit-length calculations, as it won''t be able to understand the > effective > size of the character-set used when generating a password. > > KeePass is a single-user GUI program, mainly for Windows (there''s a > working unix port), but I''m sure you''ll be able to find the code > segment > they''ve used. > > Alternatively, figuring things out yourself and presenting your own > calculation of password "strength" isn''t that difficult, once you > figure > out it''s all relative anyway. "password" *might* be a good password; > it''s just 8 random characters from the alphabet - it''s a one in 26^8 > (208827064576) chance you''ll guess it. Actually, if the password was > selected from a set of upper-case, lower-case, numbers, punctuation > and > so on than it''s even stronger - (26+26+10+31)^8 > > So you see that you can''t actually say how good a password *is* per- > se, > but you can assume the worst and work backwards. Compare the > password to > a dictionary list - there are 96000 entries in /usr/share/dict/ > words on > my Debian machine, if it matches one if those, it''s a terrible > password. > Then, how long is it? If it''s only 2 characters, it can''t be any good > :-) If it consists only of lowercase letters, you could assume that is > was selected from only lowercase letters (which might not be true), so > rate it low. If it has upper, lower, numbers and punctuation in it, it > was selected from a larger set of characters, so it might be better. > > If it is mandatory to use these four different character groups in a > password, notice that this makes it potentially worse than one > without a > representative from each group, as long as they were all possible when > the password was created. > > Have a look at http://diceware.com for an interesting passphrase > generation system, that also lets you read more about some of the > basic > thinking behind things. Great fun! > > -jim, not really helping I guess. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Hello, Another example of a password strength checker. This is a server side implementation <a href=''http://www.meosys.com/WEB/webdemo.iface''>http://www.meosys.com/WEB/webdemo.iface</a>-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Reasonably Related Threads
- Fedora change that will probably affect RHEL
- comparing strength of association instead of strength of evidence?
- bnlearn: how to compute boot strength with mmhc and a blacklist
- LLVM SCEV isAddRecNeverPoison and strength reduction
- Loop Strength Reduction Pass Does Not Work for Some Varialbles Related to Induction Variables