estimate passwords

[Lennart Freyberg]

hi there,

i'm developing a user management interface @work (to allow our users to
change their passwords on solaris, linux, novell & windows through one web
interface).
does anybody of you know a script or a module to estimate passwords? it
shouldn't only check the length of the password but also how strong or how
weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

can anyone help me?

thanx a lot,

lennu

 

[Walter Roberson]

:i'm developing a user management interface @work (to allow our users to
:change their passwords on solaris, linux, novell & windows through one web
:interface).
:does anybody of you know a script or a module to estimate passwords? it
:shouldn't only check the length of the password but also how strong or how
:weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

Is the input the password itself, or the encrypted password?

Is the result to be returned some kind of numerical result
such as "It may interesting you to know that your password is
about 17% strong", or as in "Someone could probably break your
password in about 38 minutes on s good PC"? Or is the result to
be a "pass/fail" result along the lines of "That password isn't
complex enough, choose another one!" ?


If you are looking for a go/no-go result, then there are a
variety of programs around that can take an input password, pass it
through a bunch of [configurable] translation rules, and give you
an answer.

The particular one I use here is named 'passwd+'. Looks like I
picked it up about 9 years ago from the 'net. I remember that I
fixed a few bugs and added some new kinds of rule processing.
In particular, I added the ability to call an outside program,
and then added a daemon that accepts an encrypted copy of the
password over the 'net and checks that against about 110
wordlists that I put together from various sources (e.g.,
Tolkien, Star Trek, basic Swedish vocabulary -- whatever I could
find.)

I'm sure the field has advanced quite a bit since I did these hacks,

 

[John Bokma]

Tolkien, Star Trek, basic Swedish vocabulary -- whatever I could
find.)

Swedish passwords... Now there is an idea :-D

 

[John Bokma]

hi there,

i'm developing a user management interface @work (to allow our users to
change their passwords on solaris, linux, novell & windows through one web
interface).
does anybody of you know a script or a module to estimate passwords? it
shouldn't only check the length of the password but also how strong or how
weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

can anyone help me?

IIRC, but it has been ages, the pink Camel (Perl "4") book had such a
program. Might have been the cookbook. But anyway, it is a start. You
might start with looking for dictionaries used in brute force attacks,
and make all the entries invalid passwords. The variations are huge,
username, username reversed, part of the username normal, part reversed,
733+ (e.g. j0H|\|6O<M4 :-D)

 

[Bob Walton]

Lennart Freyberg wrote:

....

i'm developing a user management interface @work (to allow our users to
change their passwords on solaris, linux, novell & windows through one web
interface).
does anybody of you know a script or a module to estimate passwords? it
shouldn't only check the length of the password but also how strong or how
weak it is (alphanumeric, not "qwerty", not part of the username, etc.). ....
lennu

CPAN is your friend -- did you check there? You should find things like
the Data:assword::BasicCheck, Data:assword::Check and
Data:assword modules -- and probably some more. One of them might be
what you're looking for.

http://www.perl.com/CPAN/

 

[Tintin]

hi there,

i'm developing a user management interface @work (to allow our users to
change their passwords on solaris, linux, novell & windows through one web
interface).
does anybody of you know a script or a module to estimate passwords? it
shouldn't only check the length of the password but also how strong or how
weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

I'd write a frontend to npasswd.

http://www.utexas.edu/cc/unix/software/npasswd/

 

[Lennart Freyberg]

Hi Walter,

Is the input the password itself, or the encrypted password?

Sue me, but it is the password itself. The tools I use to change the
passwords on microsoft ads and novell 4.x nds can't handle encrypted
passwords (but the session will be encrypted through https).

Is the result to be returned some kind of numerical result
such as "It may interesting you to know that your password is
about 17% strong", or as in "Someone could probably break your
password in about 38 minutes on s good PC"? Or is the result to
be a "pass/fail" result along the lines of "That password isn't
complex enough, choose another one!" ?

I am interested in a go/no-go result. The password must fulfill several
properties:
- minimum (and maybe maximum) length
- alphanumeric (more than one numeric or alphabetic char and not only at
the beginning or the end of the password)
I guess the most problematic property is, that it must not consist of
keyword-rows (horizontal like "qwerty" and vertical like "bgt5").
Maybe it's not the strongest password ever, but if it fulfills these
three properties it is strong enough for us (now).

The first two checks are not that hard to write, but I have no idea how
to check the keyword-rows. That's why I am searching for a tool.

Unfortunately I need one to run under Microsoft! The tools I use for
changing the password on Novell NDS only run under Windows and I am not
interested to split the programs of this project onto several computers
with several operating systems. (But I am not happy with that! ;-) )

I am sure that most of our users passwords are so weak that I couldn't
sleep well if I would knew them, so the three properties are something
like a first step for us...

Thanks a lot,
Lennart

 

[Lennart Freyberg]

Hi Bob,

I thought I did...

CPAN is your friend -- did you check there? You should find things like
the Data:assword::BasicCheck, Data:assword::Check and
Data:assword modules -- and probably some more. One of them might be
what you're looking for

.... but maybe I was too blind

Thanks for the hints,
Lennart