Security Basics mailing list archives
Re: Password Quality checker
From: "Steven" <steven () slashmail org>
Date: Wed, 27 Dec 2006 23:40:29 -0500 (EST)
I would suggest a simple JavaScript or similar implementation that checks for the complexity you are looking for. On our web apps at work it doesn't let them submit the format to change their password unless it meets the correct complexity requirements (min 8 chars and mix of lowercase,uppercase,special character,numeric -- some even check the last 10 passwords to ensure no-reuse). You would want to implement something like this from when a user is first given an account. When they login they should be forced to change their password and the script will not let them update and/or login until they have met the proper complexity requirements. Steven
Hello Nic, Thanks for the reply. I was looking for a tool for users to check whether the passwords they choose meet the organization's policy. Not a tool to test the strength of the existing passwords. Most likely a web portal for them to enter the "potential" password, and the portal will determine whether it meets the standards. Rgds, JW At 08:48 AM 26/12/2006, Nic Stevens wrote:You cannot check the quality of "Unix/Linux" passwords as it's a one-way encryption so it must be done at the time the user (or admin) sets the password. With PAM based authentication on *nix there are ways of enforcing stronger passwords standards than the default. As far as Windows goes I have no experience with security. -Nic Johnny Wong wrote:Hello all, I was wondering if your organization deploys any password quality checking tool to help users select policy-compliant passwords? Be it web-based or client based. I am thinking what type of requirements do you use to select such tools, and what are the examples out there? My thoughts: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords Thanks, JW-- Captiain! We've been hit. The only damage so far is the self-destruct mechanism which, apparently has destroyed itself.!DSPAM:4593121f219189632259165!
Current thread:
- Password Quality checker Johnny Wong (Dec 25)
- Re: Password Quality checker Saqib Ali (Dec 27)
- Re: Password Quality checker intel96 (Dec 29)
- Message not available
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Steven (Dec 29)
- Re: Password Quality checker Arun Bhaskar (Dec 29)
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Saqib Ali (Dec 27)
- <Possible follow-ups>
- RE: Password Quality checker Hayes, Bill (Dec 29)