estimate passwords

Discussion in 'Perl Misc' started by Lennart Freyberg, Jul 4, 2004.

  1. hi there,

    i'm developing a user management interface @work (to allow our users to
    change their passwords on solaris, linux, novell & windows through one web
    interface).
    does anybody of you know a script or a module to estimate passwords? it
    shouldn't only check the length of the password but also how strong or how
    weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

    can anyone help me?

    thanx a lot,

    lennu
    Lennart Freyberg, Jul 4, 2004
    #1
    1. Advertising

  2. In article <-ndh.com>,
    Lennart Freyberg <%l%e%n%n%u%@_l_e_n_n_u.$d$e$> wrote:
    :i'm developing a user management interface @work (to allow our users to
    :change their passwords on solaris, linux, novell & windows through one web
    :interface).
    :does anybody of you know a script or a module to estimate passwords? it
    :shouldn't only check the length of the password but also how strong or how
    :weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

    Is the input the password itself, or the encrypted password?

    Is the result to be returned some kind of numerical result
    such as "It may interesting you to know that your password is
    about 17% strong", or as in "Someone could probably break your
    password in about 38 minutes on s good PC"? Or is the result to
    be a "pass/fail" result along the lines of "That password isn't
    complex enough, choose another one!" ?


    If you are looking for a go/no-go result, then there are a
    variety of programs around that can take an input password, pass it
    through a bunch of [configurable] translation rules, and give you
    an answer.

    The particular one I use here is named 'passwd+'. Looks like I
    picked it up about 9 years ago from the 'net. I remember that I
    fixed a few bugs and added some new kinds of rule processing.
    In particular, I added the ability to call an outside program,
    and then added a daemon that accepts an encrypted copy of the
    password over the 'net and checks that against about 110
    wordlists that I put together from various sources (e.g.,
    Tolkien, Star Trek, basic Swedish vocabulary -- whatever I could
    find.)

    I'm sure the field has advanced quite a bit since I did these hacks,

    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
    Walter Roberson, Jul 5, 2004
    #2
    1. Advertising

  3. Lennart Freyberg

    John Bokma Guest

    John Bokma, Jul 5, 2004
    #3
  4. Lennart Freyberg

    John Bokma Guest

    Lennart Freyberg wrote:

    > hi there,
    >
    > i'm developing a user management interface @work (to allow our users to
    > change their passwords on solaris, linux, novell & windows through one web
    > interface).
    > does anybody of you know a script or a module to estimate passwords? it
    > shouldn't only check the length of the password but also how strong or how
    > weak it is (alphanumeric, not "qwerty", not part of the username, etc.).
    >
    > can anyone help me?


    IIRC, but it has been ages, the pink Camel (Perl "4") book had such a
    program. Might have been the cookbook. But anyway, it is a start. You
    might start with looking for dictionaries used in brute force attacks,
    and make all the entries invalid passwords. The variations are huge,
    username, username reversed, part of the username normal, part reversed,
    733+ (e.g. j0H|\|6O<M4 :-D)

    --
    John MexIT: http://johnbokma.com/mexit/
    personal page: http://johnbokma.com/
    Experienced Perl programmer available: http://castleamber.com/
    Happy Customers: http://castleamber.com/testimonials.html
    John Bokma, Jul 5, 2004
    #4
  5. Lennart Freyberg

    Bob Walton Guest

    Lennart Freyberg wrote:

    ....
    > i'm developing a user management interface @work (to allow our users to
    > change their passwords on solaris, linux, novell & windows through one web
    > interface).
    > does anybody of you know a script or a module to estimate passwords? it
    > shouldn't only check the length of the password but also how strong or how
    > weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

    ....
    > lennu



    CPAN is your friend -- did you check there? You should find things like
    the Data::password::BasicCheck, Data::password::Check and
    Data::password modules -- and probably some more. One of them might be
    what you're looking for.

    http://www.perl.com/CPAN/

    --
    Bob Walton
    Email: http://bwalton.com/cgi-bin/emailbob.pl
    Bob Walton, Jul 5, 2004
    #5
  6. Lennart Freyberg

    Tintin Guest

    "Lennart Freyberg" <%l%e%n%n%u%@_l_e_n_n_u.$d$e$> wrote in message
    news:-ndh.com...
    > hi there,
    >
    > i'm developing a user management interface @work (to allow our users to
    > change their passwords on solaris, linux, novell & windows through one web
    > interface).
    > does anybody of you know a script or a module to estimate passwords? it
    > shouldn't only check the length of the password but also how strong or how
    > weak it is (alphanumeric, not "qwerty", not part of the username, etc.).


    I'd write a frontend to npasswd.

    http://www.utexas.edu/cc/unix/software/npasswd/
    Tintin, Jul 5, 2004
    #6
  7. Hi Walter,

    > Is the input the password itself, or the encrypted password?

    Sue me, but it is the password itself. The tools I use to change the
    passwords on microsoft ads and novell 4.x nds can't handle encrypted
    passwords (but the session will be encrypted through https).

    > Is the result to be returned some kind of numerical result
    > such as "It may interesting you to know that your password is
    > about 17% strong", or as in "Someone could probably break your
    > password in about 38 minutes on s good PC"? Or is the result to
    > be a "pass/fail" result along the lines of "That password isn't
    > complex enough, choose another one!" ?

    I am interested in a go/no-go result. The password must fulfill several
    properties:
    - minimum (and maybe maximum) length
    - alphanumeric (more than one numeric or alphabetic char and not only at
    the beginning or the end of the password)
    I guess the most problematic property is, that it must not consist of
    keyword-rows (horizontal like "qwerty" and vertical like "bgt5").
    Maybe it's not the strongest password ever, but if it fulfills these
    three properties it is strong enough for us (now).

    The first two checks are not that hard to write, but I have no idea how
    to check the keyword-rows. That's why I am searching for a tool.

    Unfortunately I need one to run under Microsoft! The tools I use for
    changing the password on Novell NDS only run under Windows and I am not
    interested to split the programs of this project onto several computers
    with several operating systems. (But I am not happy with that! ;-) )

    I am sure that most of our users passwords are so weak that I couldn't
    sleep well if I would knew them, so the three properties are something
    like a first step for us...

    Thanks a lot,
    Lennart
    Lennart Freyberg, Jul 12, 2004
    #7
  8. Hi Bob,

    I thought I did...
    > CPAN is your friend -- did you check there? You should find things like
    > the Data::password::BasicCheck, Data::password::Check and
    > Data::password modules -- and probably some more. One of them might be
    > what you're looking for

    .... but maybe I was too blind

    Thanks for the hints,
    Lennart
    Lennart Freyberg, Jul 12, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob
    Replies:
    31
    Views:
    990
    Nick Malik
    Jul 16, 2004
  2. =?Utf-8?B?dmlrdG9yOTk5MA==?=

    cost estimate for a database-driven web site

    =?Utf-8?B?dmlrdG9yOTk5MA==?=, Jun 5, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    342
    =?Utf-8?B?dmlrdG9yOTk5MA==?=
    Jun 5, 2005
  3. =?Utf-8?B?dmlrdG9yOTk5MA==?=

    cost estimate for a database-driven web site

    =?Utf-8?B?dmlrdG9yOTk5MA==?=, Jun 5, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    354
    =?Utf-8?B?dmlrdG9yOTk5MA==?=
    Jun 5, 2005
  4. Matías

    Estimate Memory

    Matías, Dec 28, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    393
    Jim Cheshire
    Dec 28, 2005
  5. jackson marshmallow

    steepest slope estimate

    jackson marshmallow, Nov 2, 2003, in forum: Java
    Replies:
    12
    Views:
    4,219
    jackson marshmallow
    Nov 5, 2003
Loading...

Share This Page