Security Basics mailing list archives
Re: Password Quality checker
From: intel96 <intel96 () bellsouth net>
Date: Thu, 28 Dec 2006 10:31:30 -0500
Here is the link to the code for this password checker that Saqib mentioned. http://www.microsoft.com/athome/security/includes/passwdcheck.js You could use the code as Saqib mentioned internally, but you will have to modify it based on your requirements: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords In Michael Howard book "Writing Secure Code" on pages 270-272, he discusses password entropy. This concept is what the JavaScript on Microsoft's site is doing. You can also validate user compliance with your company's password policy after the fact using NetValidatePasswordPolicy. More information is available at this link: http://msdn2.microsoft.com/en-us/library/aa370661.aspx. NOTE: I have not used this to validate password compliance. Saqib Ali wrote:
MS has one on their website for public use. It is pretty cool : http://www.microsoft.com/athome/security/privacy/password_checker.mspx Your password never gets sent to any server for checking. And if you use any other web based utility make sure it is not sending any anything to a server on the internet. Otherwise they might be collecting your passwords.... I would recommend implementing a in-house as you have have keep on updating it.... saqib http://www.full-disk-encryption.net On 12/23/06, Johnny Wong <johnnywkm () gmail com> wrote:Hello all, I was wondering if your organization deploys any password quality checking tool to help users select policy-compliant passwords? Be it web-based or client based. I am thinking what type of requirements do you use to select such tools, and what are the examples out there? My thoughts: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords Thanks, JW
Current thread:
- Password Quality checker Johnny Wong (Dec 25)
- Re: Password Quality checker Saqib Ali (Dec 27)
- Re: Password Quality checker intel96 (Dec 29)
- Message not available
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Steven (Dec 29)
- Re: Password Quality checker Arun Bhaskar (Dec 29)
- Re: Password Quality checker Johnny Wong (Dec 27)
- Re: Password Quality checker Saqib Ali (Dec 27)
- <Possible follow-ups>
- RE: Password Quality checker Hayes, Bill (Dec 29)