-
October 17th, 2005, 05:04 PM
#1
Senior Member
Password Strength Program
If you sign up for an MSN account they have this nifty little progress bar that tells you how strong your password is.
I'm operating in a W2k and W2k3 AD enviornment and I'm looking for a program that would do the same thing.
I google password stregth program and I get password cracking tools.
Does anyone know of a program that will allow the users when they change there passwords to be told how strong the password is? Just enabling the Password Strength Group Policy doesn't do much. I want them to visually see how strong it is.
-
October 17th, 2005, 05:20 PM
#2
Junior Member
I found this:
http://thoughtlabs.net/andrew/tipsan...indicator.html
(Googled for Password Strength Indicator)
I know this code is web based... and I'm not sure if you can integrate it into Windows password changing (unless you do it in a web page ;-)), but it's a start.
-
October 17th, 2005, 05:21 PM
#3
I can't report that I know of one, but what a neat idea! Coupled with policy, this would be an excellent user education tool. Provide them some immediate feedback on the strength of their password, and get their buy-in right up front that they are aware of the need for stronger, more complex password security.
Wonder if we can encourage MS to provide this functionality in AD.
Of course, this may cause a security issue of its own, depending on how the app would measure the password strength. If it hold the information in memory (unencrypted?) until it is evaluated, then it leaves the password open to capture.
-
October 17th, 2005, 07:35 PM
#4
Senior Member
awesome, is it possible to change password via a website?
-
October 17th, 2005, 08:25 PM
#5
jbclarkman: very dependent on your network and authentication mechanism. Yes, you could, if you had a secure web site that would have access to the authentication mechanism in your network.
-
October 17th, 2005, 09:28 PM
#6
Senior Member
I guess I could indigrate this: http://www.greyware.com/software/dompass/ with http://thoughtlabs.net/andrew/tipsan...indicator.html
however I couldn't get the second one to work. HTML/Java isn't my thing. can anyone post something that would help me get the second one(http://thoughtlabs.net/andrew/tipsan...indicator.html) to work?
-
October 17th, 2005, 09:40 PM
#7
Isn't the SSO the only person who should know the password besides the user? Not an untrusted application found from a google search that clearly falls out of your systems security authentication mechanisms. Then again one could use the Preventing Exposure method. I just thought it should be left up to a higher authority, not an end user to let one know the status of their password?
Then again I don't have any nodes under my belt.
I'd read up on the CSC-STD-002-85 (Green book)
-
October 17th, 2005, 10:09 PM
#8
Senior Member
welll this would be a strictly internal website, no access to internet on the computers they are using anyways.
-
October 17th, 2005, 11:33 PM
#9
I think PGP has a similar check of passphrase strength. I suppose it's essentially based on the characterset and passlength rather than some complicated analysis on collisions, algorithm particularities [such as repeating blocks for certain keys etc] and such other technical details.
/ \\
-
October 18th, 2005, 08:05 AM
#10
welll this would be a strictly internal website, no access to internet on the computers they are using anyways.
So why care about password strength?
If the systems are important enough to care about password strength, they are important enough to care about password handling.
cheers,
catch
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|