I would suggest a simple JavaScript or similar implementation that checks
for the complexity you are looking for. On our web apps at work it
doesn't let them submit the format to change their password unless it
meets the correct complexity requirements (min 8 chars and mix of
lowercase,uppercase,special character,numeric -- some even check the last
10 passwords to ensure no-reuse).
You would want to implement something like this from when a user is first
given an account. When they login they should be forced to change their
password and the script will not let them update and/or login until they
have met the proper complexity requirements.
Steven
Hello Nic,
Thanks for the reply. I was looking for a tool for users to check
whether the passwords they choose meet the organization's policy. Not
a tool to test the strength of the existing passwords. Most likely a
web portal for them to enter the "potential" password, and the portal
will determine whether it meets the standards.
Rgds,
JW
At 08:48 AM 26/12/2006, Nic Stevens wrote:
You cannot check the quality of "Unix/Linux" passwords as it's a
one-way encryption so it must be done at the time the user (or
admin) sets the password. With PAM based authentication on *nix
there are ways of enforcing stronger passwords standards than the
default.
As far as Windows goes I have no experience with security.
-Nic
Johnny Wong wrote:
Hello all,
I was wondering if your organization deploys any password quality
checking tool to help users select policy-compliant passwords? Be
it web-based or client based. I am thinking what type of
requirements do you use to select such tools, and what are the
examples out there?
My thoughts:
1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with Windows
GPO)
3) It should also work with Unix/Linux passwords
Thanks,
JW
--
Captiain! We've been hit. The only damage so far is the self-destruct
mechanism which, apparently has destroyed itself.
!DSPAM:4593121f219189632259165!
