Security Basics mailing list archives
RE: Password Quality checker
From: "Hayes, Bill" <Bill.Hayes () owh com>
Date: Fri, 29 Dec 2006 09:26:09 -0600
I would advise some caution in enthustically recommending the link http://www.microsoft.com/athome/security/privacy/password_checker.mspx. It regards the password strength of the strings 'password' as weak, 'Password'as medium, and 'Password1' as strong. Variations of easily guessable passwords are not strong passwords. Having worked in IT and infosec jobs in Nebraska for 20 nearly years, I can't tell you the number of Husker fans who think that 'GoHuskers!' is a strong password. Even 'G0Husk3r5!' can be easily guessed. BTW, I am NOT a sports fan (my wife and I may be the only folks in Nebraska who aren't) so don't write to commiserate about this year's team. :-) Bill... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of intel96 Sent: Thursday, December 28, 2006 9:32 AM To: Johnny Wong Cc: Saqib Ali; security-basics () securityfocus com Subject: Re: Password Quality checker Here is the link to the code for this password checker that Saqib mentioned. http://www.microsoft.com/athome/security/includes/passwdcheck.js You could use the code as Saqib mentioned internally, but you will have to modify it based on your requirements: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords In Michael Howard book "Writing Secure Code" on pages 270-272, he discusses password entropy. This concept is what the JavaScript on Microsoft's site is doing. You can also validate user compliance with your company's password policy after the fact using NetValidatePasswordPolicy. More information is available at this link: http://msdn2.microsoft.com/en-us/library/aa370661.aspx. NOTE: I have not used this to validate password compliance. Saqib Ali wrote:
MS has one on their website for public use. It is pretty cool : http://www.microsoft.com/athome/security/privacy/password_checker.mspx Your password never gets sent to any server for checking. And if you use any other web based utility make sure it is not sending any anything to a server on the internet. Otherwise they might be collecting your passwords.... I would recommend implementing a in-house as you have have keep on updating it.... saqib http://www.full-disk-encryption.net On 12/23/06, Johnny Wong <johnnywkm () gmail com> wrote:Hello all, I was wondering if your organization deploys any password quality checking tool to help users select policy-compliant passwords? Be it web-based or client based. I am thinking what type of requirements do
you use to select such tools, and what are the examples out there? My thoughts: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords Thanks, JW
Current thread:
- Password Quality checker Johnny Wong (Dec 25)
- Re: Password Quality checker Saqib Ali (Dec 27)
- Re: Password Quality checker intel96 (Dec 29)
- Message not available
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Steven (Dec 29)
- Re: Password Quality checker Arun Bhaskar (Dec 29)
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Saqib Ali (Dec 27)
- <Possible follow-ups>
- RE: Password Quality checker Hayes, Bill (Dec 29)