Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Thu, 30 Mar 2000 11:23:41 GMT
|
Highlighted:
|
!!
(details)
|
Viewed:
|
3562 times
|
| |
|
|
In lugnet.admin.general, Todd Lehman writes:
> [...]
> I'll put this password thingy up on a webpage for people to try out, maybe
> later tonight. If we can all agree that it does a good job of weeding out
> bad passwords, then I'll put it into place for where you can actually change
> your own password.
OK, here it is:
http://www.lugnet.com/people/members/pwsa/
Executive summary:
Type in a password and it tells you "pass" or "fail".
First important question:
Are there any bad passwords which this fails to reject? (If it rejects
a seemingly good password, that's not necessarily a problem. Failing to
reject a bad password is a far more serious problem.)
Second important question:
Are there words that you can think of which this fails to detect as
potential weaknesses? (Try to stump it!)
Notes:
The box that you type into does _not_ display *'s over the top of the text
you type. (This makes it easier to edit, re-edit, and experiment.) Thus,
don't run this with people looking over your shoulder (unless you're just
playing around and have no intention of using the passwords you test).
The pages that come back show your whole password on the screen and many
fragments of it, so Clear Out Your Browser's Cache After Running This if
anyone but you can read files on your machine. (I'll probably make it set
the 'no-cache' and 'expires' HTTP headers on the output pages tomorrow, but
it still wouldn't hurt to wipe out your cache afterwords.)
The analysis is very slow. It may take several seconds to check your input,
so please be patient. The CPU time is displayed at the bottom of the results
page, and you may notice that the CPU time shows much smaller values than the
elapsed time. Partially, this is due to typical issues like network latency
and multiple processes competing for resources, but mainly, in this case,
this is due to the fact that the words dictionary (30+ MB of 2.7*10^6 words,
names, acronyms, phrases, etc.) doesn't fit into core memory. (Well, it
fits, but it doesn't stay cached long, so there are often lots of pagefaults
which result in access to secondary storage, which slows things down.)
Subsequent analyses of similar-looking input may result in quicker responses.
If it identifies risky words that you've never heard of, keep in mind that
it's looking through words from more than 20 human languages, and that it
also knows names, computer words, science words, and all kinds of other
obscure stuff.
Non-English words containing characters outside of the strict 7-bit ASCII
character set are not yet handled (detected) properly. This is because the
original word lists for those languages encoded these non-ASCII extended
characters using double-byte sequences which I haven't yet figured out how
to decode. (Some are simple and obvious, for example :a for umlaut-a, or
/o for slash-o, but others, like curly braces and angle brackets, are still
mystifying. There was no decoding documentation available with the source
files (or else I missed it somehow) but if a few people are willing to have
a look at a few examples in each language, we can probably figure it out
pretty quickly. (I'll double-check again for decoding docs first.)
--Todd
|
|
Message has 18 Replies:
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
