Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Password Strength Program

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    172

    Password Strength Program

    If you sign up for an MSN account they have this nifty little progress bar that tells you how strong your password is.

    I'm operating in a W2k and W2k3 AD enviornment and I'm looking for a program that would do the same thing.

    I google password stregth program and I get password cracking tools.

    Does anyone know of a program that will allow the users when they change there passwords to be told how strong the password is? Just enabling the Password Strength Group Policy doesn't do much. I want them to visually see how strong it is.

  2. #2
    Junior Member
    Join Date
    May 2005
    Posts
    9
    I found this:
    http://thoughtlabs.net/andrew/tipsan...indicator.html

    (Googled for Password Strength Indicator)

    I know this code is web based... and I'm not sure if you can integrate it into Windows password changing (unless you do it in a web page ;-)), but it's a start.
    -ts

  3. #3
    I can't report that I know of one, but what a neat idea! Coupled with policy, this would be an excellent user education tool. Provide them some immediate feedback on the strength of their password, and get their buy-in right up front that they are aware of the need for stronger, more complex password security.

    Wonder if we can encourage MS to provide this functionality in AD.

    Of course, this may cause a security issue of its own, depending on how the app would measure the password strength. If it hold the information in memory (unencrypted?) until it is evaluated, then it leaves the password open to capture.

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    awesome, is it possible to change password via a website?

  5. #5
    jbclarkman: very dependent on your network and authentication mechanism. Yes, you could, if you had a secure web site that would have access to the authentication mechanism in your network.

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    I guess I could indigrate this: http://www.greyware.com/software/dompass/ with http://thoughtlabs.net/andrew/tipsan...indicator.html

    however I couldn't get the second one to work. HTML/Java isn't my thing. can anyone post something that would help me get the second one(http://thoughtlabs.net/andrew/tipsan...indicator.html) to work?

  7. #7
    Isn't the SSO the only person who should know the password besides the user? Not an untrusted application found from a google search that clearly falls out of your systems security authentication mechanisms. Then again one could use the Preventing Exposure method. I just thought it should be left up to a higher authority, not an end user to let one know the status of their password?

    Then again I don't have any nodes under my belt.

    I'd read up on the CSC-STD-002-85 (Green book)

  8. #8
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    welll this would be a strictly internal website, no access to internet on the computers they are using anyways.

  9. #9
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    I think PGP has a similar check of passphrase strength. I suppose it's essentially based on the characterset and passlength rather than some complicated analysis on collisions, algorithm particularities [such as repeating blocks for certain keys etc] and such other technical details.
    /\\

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    welll this would be a strictly internal website, no access to internet on the computers they are using anyways.
    So why care about password strength?

    If the systems are important enough to care about password strength, they are important enough to care about password handling.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •