Rails - Aug 2006 - Password Strength Meter, Password Strength Validation

Has anyone seen or created a password strength meter, or password strength
validator (like at hotmail''s sign up)?

 

Examples would be great!

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060804/14a94764/attachment.html

On Fri, Aug 04, 2006 at 04:10:20PM +0930, Alex Moore
wrote:
> Has anyone seen or created a password strength meter, or password strength
> validator (like at hotmail?s sign up)?
There''s one in the KeePass program (http://keepass.sf.net)
that''s open
sourced; however I''m a little suspicious of it''s assumptions
around the
bit-length calculations, as it won''t be able to understand the
effective
size of the character-set used when generating a password.

KeePass is a single-user GUI program, mainly for Windows (there''s a
working unix port), but I''m sure you''ll be able to find the
code segment
they''ve used.

Alternatively, figuring things out yourself and presenting your own
calculation of password "strength" isn''t that difficult, once
you figure
out it''s all relative anyway. "password" *might* be a good
password;
it''s just 8 random characters from the alphabet - it''s a one
in 26^8
(208827064576) chance you''ll guess it. Actually, if the password was
selected from a set of upper-case, lower-case, numbers, punctuation and
so on than it''s even stronger - (26+26+10+31)^8

So you see that you can''t actually say how good a password *is* per-se,
but you can assume the worst and work backwards. Compare the password to
a dictionary list - there are 96000 entries in /usr/share/dict/words on
my Debian machine, if it matches one if those, it''s a terrible
password.
Then, how long is it? If it''s only 2 characters, it can''t be
any good
:-) If it consists only of lowercase letters, you could assume that is
was selected from only lowercase letters (which might not be true), so
rate it low. If it has upper, lower, numbers and punctuation in it, it
was selected from a larger set of characters, so it might be better.

If it is mandatory to use these four different character groups in a
password, notice that this makes it potentially worse than one without a
representative from each group, as long as they were all possible when
the password was created.

Have a look at http://diceware.com for an interesting passphrase
generation system, that also lets you read more about some of the basic
thinking behind things. Great fun!

-jim, not really helping I guess.

Alex,  you may want to check out ruby-password,

http://raa.ruby-lang.org/project/ruby-password/

"Ruby/Password comprises a set of useful methods for creating,  
verifying and manipulating passwords. It includes an interface to  
CrackLib, a library commonly used for checking password strength. "

I can''t vouch for it otherwise, but I am intending to evaluate it  
down the road.

cheers,
Jodi

On 6-Aug-06, at 5:04 AM, Jim Cheetham wrote:
> On Fri, Aug 04, 2006 at 04:10:20PM +0930, Alex Moore wrote:
>> Has anyone seen or created a password strength meter, or password  
>> strength
>> validator (like at hotmail?s sign up)?
>
> There''s one in the KeePass program (http://keepass.sf.net)
that''s open
> sourced; however I''m a little suspicious of it''s
assumptions around
> the
> bit-length calculations, as it won''t be able to understand the  
> effective
> size of the character-set used when generating a password.
>
> KeePass is a single-user GUI program, mainly for Windows (there''s
a
> working unix port), but I''m sure you''ll be able to find
the code
> segment
> they''ve used.
>
> Alternatively, figuring things out yourself and presenting your own
> calculation of password "strength" isn''t that difficult,
once you
> figure
> out it''s all relative anyway. "password" *might* be a
good password;
> it''s just 8 random characters from the alphabet - it''s a
one in 26^8
> (208827064576) chance you''ll guess it. Actually, if the password
was
> selected from a set of upper-case, lower-case, numbers, punctuation  
> and
> so on than it''s even stronger - (26+26+10+31)^8
>
> So you see that you can''t actually say how good a password *is*
per-
> se,
> but you can assume the worst and work backwards. Compare the  
> password to
> a dictionary list - there are 96000 entries in /usr/share/dict/ 
> words on
> my Debian machine, if it matches one if those, it''s a terrible  
> password.
> Then, how long is it? If it''s only 2 characters, it can''t
be any good
> :-) If it consists only of lowercase letters, you could assume that is
> was selected from only lowercase letters (which might not be true), so
> rate it low. If it has upper, lower, numbers and punctuation in it, it
> was selected from a larger set of characters, so it might be better.
>
> If it is mandatory to use these four different character groups in a
> password, notice that this makes it potentially worse than one  
> without a
> representative from each group, as long as they were all possible when
> the password was created.
>
> Have a look at http://diceware.com for an interesting passphrase
> generation system, that also lets you read more about some of the  
> basic
> thinking behind things. Great fun!
>
> -jim, not really helping I guess.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Hello,

Another example of a password strength checker. This is a server side 
implementation


<a href=''http://www.meosys.com/WEB/webdemo.iface''
>http://www.meosys.com/WEB/webdemo.iface</a>
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.