Jason Levine
Premium
join:2001-07-13
USA
| Dictionary for Password Strength Testing
I saw a link to a Password Strength tester (»www.securitystats.com/tools/password.php) in another thread and thought that it would be a great tool for my users. However, I don't want them submitting their passwords across the Internet and some of the suggestions (upper case) don't apply in our situation (we have case insensitive passwords). Therefore, I'm looking at building it myself.
So far, it looks like they check 5 criteria:
1. Is the password in the dictionary?
2. Is the password 8 characters or more in length?
3. Does the password include special symbols?
4. Does the password contain numbers?
5. Does the password contain mixed case?
I'd wind up replacing that last one with:
5. Does the password match the user's username?
Numbers 2-5 are easy to implement. However, #1 requires that I have a database of common words to query against. Does anyone know of any free/low-cost sources for this that I could use to populate a SQL Server database?
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
Mospaw
Head Ache
Hawaiian Jellyfish
join:2001-01-08
The Pacific | Lots of words here: »www.itasoftware.com/careers/WORD.LST
You should be able to save that file and run a query on it. If you need help writing one, let me know. |
|
Jason Levine
Premium
join:2001-07-13
USA | Thanks. This should help a lot!  |
|
Overdrive
Are You Where You Want To Be?
Premium
join:2001-05-31
Waterbury, CT
| reply to Mospaw
that's a lot of words...
--
Need a Web Developer? |
|
DA OH
Do, Or Do Not. There Is No 'try'.
join:2002-01-07
Denver, CO
clubs:
| said by Overdrive  :
that's a lot of words...
173,528 to be exact. --
"Victory goes to the player who makes the next-to-last mistake." |
|
fiqqq
Mr. Chainsaw
Premium
join:2003-01-23
Wilmette, IL
clubs:
| reply to Jason Levine
be careful not to throw out passwords that meet all of the other expectations like dog!#Murphy, !# being his age but with shift pressed. as these are strong passwords and better than users having to remember 435A93k*m or the likes.
--
placidness.com: my site. |
|
big greg
Premium,MVM,Ex-Mod 2005-6
join:2003-10-11
Boston, MA
clubs:
| reply to Mospaw
Excellent link! Thanks! |
|
Mospaw
Head Ache
Hawaiian Jellyfish
join:2001-01-08
The Pacific
 ·Cox HSI
Host:
Road Warriors, Not..
All Things Macintosh
Automotive
| Our IT manager is encouraging the use of "pass phrases" instead of passwords. Something like "Mospaw is a genius." or even "Four score and seven years ago" to type in. Nice and long, and very difficult to guess. You could even have "Four score and 7 years ago" to make it harder to guess, but still very easy to remember.
The only issue is that some applications/web sites may limit password length, so the longer phrases may be problematic. I would think that 80 characters would handle just about all reasonable pass phrases. |
|
DA OH
Do, Or Do Not. There Is No 'try'.
join:2002-01-07
Denver, CO
clubs:
| reply to Jason Levine
We use pass phrases here, but only the initials from them. For example: road runner is very fast becomes rrivf. For added security, we also add special characters, so the final password becomes: !rrivf!
--
"Victory goes to the player who makes the next-to-last mistake." |
|
Jason Levine
Premium
join:2001-07-13
USA
| reply to Mospaw
I encourage passphrases too. Not only are they hard to guess, but they're pretty easy to remember. "We're off to see the wizard!" is a 28 character password/phrase that's pretty secure and easier to remember than "1ri&br#a#ho9thiucoe!l27ieslu"
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
