Subject:
|
Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Thu, 30 Mar 2000 00:22:28 GMT
|
Highlighted:
|
!
(details)
|
Viewed:
|
4061 times
|
| |
|
|
In lugnet.admin.general, Larry Pieniazek writes:
> > No, not dug in, just a bit skeptical and need to think changes through
> > carefully. No doubts that you could pick an excellent password. It's the
> > average non-geek who is the potential weak link.
>
> OK, make me confirm my confirm (each time warning the non geeky that maybe,
> just maybe, they ought to use the one the were given) when I go to pick my
> password, then subject it to a few quick checks to see if it was a good
> choice (I prefer trying a quick brute force attack to try to guess it
> rather than enforcing "must be more than 6 letters must contain at least
> one number" kind of rules which actually cut into the password space.
OK, I've done more research into human factors of passwords and have crufted
together[1] what I hope is a rather froody password checker.
First, it's got a _moby_ database of more than 2.7 million words, names,
phrases, numbers, and other common sequences culled from more 100 free
wordlists covering more than 20 world languages. It consults this database
to identify risks based on known, non-arbitrary character sequences. Second,
it checks for other manners of dubious sequences (substring repetition,
palindromes, backwords, and other cleverless human tricks). Third, it knows
how to unmung upside-down calculator words like 07734 or 0937 and it knows
that $#!+ is a weak disguise for a common 4LW). And then it's got a couple
of other recursive risk-sensors too.
Anyway, you give it some password to analyze, and it comes back with an
appraisal of that password's strength. It *will* allow you to have a
5-character password, but only if it thinks it's really good. Similarly,
it will fail a 9-character password containing uppercase and lowercase
letters, numbers, and special characters if for some reason it feels that
password is still too risky.
Doing some statistical analysis on randomly generated passwords (assuming a
character set of a-z, A-Z, 0-9, and -, all with equal probability), it fails
about 85% of all 5-character passwords, 40% of all 6-character passwords,
15% of all 7-character passwords, 8% of all 8-character passwords, and 7%
of all 9-character passwords. Thus it does not adversely limit the domain
of all choices -- although it is very picky about what it likes, and if you
want a 5-character password, you have to work hard.
I'll put this password thingy up on a webpage for people to try out, maybe
later tonight. If we can all agree that it does a good job of weeding out
bad passwords, then I'll put it into place for where you can actually change
your own password.
--Todd
[1] I'd like to blame NIHS but I did not find any adequately strong freely
available drop-in solutions.
|
|
Message has 2 Replies:
Message is in Reply To:
 | | Re: New feature: Article rating
|
| (...) Mode. (...) OK, make me confirm my confirm (each time warning the non geeky that maybe, just maybe, they ought to use the one the were given) when I go to pick my password, then subject it to a few quick checks to see if it was a good choice (...) (25 years ago, 26-Mar-00, to lugnet.admin.general)
|
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
