Here is the link to the code for this password checker that Saqib
mentioned. http://www.microsoft.com/athome/security/includes/passwdcheck.js
You could use the code as Saqib mentioned internally, but you will have
to modify it based on your requirements:
1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with Windows GPO)
3) It should also work with Unix/Linux passwords
In Michael Howard book "Writing Secure Code" on pages 270-272, he
discusses password entropy. This concept is what the JavaScript on
Microsoft's site is doing.
You can also validate user compliance with your company's password
policy after the fact using NetValidatePasswordPolicy. More information
is available at this link:
http://msdn2.microsoft.com/en-us/library/aa370661.aspx. NOTE: I have
not used this to validate password compliance.
Saqib Ali wrote:
MS has one on their website for public use. It is pretty cool :
http://www.microsoft.com/athome/security/privacy/password_checker.mspx
Your password never gets sent to any server for checking. And if you
use any other web based utility make sure it is not sending any
anything to a server on the internet. Otherwise they might be
collecting your passwords....
I would recommend implementing a in-house as you have have keep on
updating it....
saqib
http://www.full-disk-encryption.net
On 12/23/06, Johnny Wong <johnnywkm@gmail.com> wrote:
Hello all,
I was wondering if your organization deploys any password quality
checking tool to help users select policy-compliant passwords? Be it
web-based or client based. I am thinking what type of requirements do
you use to select such tools, and what are the examples out there?
My thoughts:
1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with
Windows GPO)
3) It should also work with Unix/Linux passwords
Thanks,
JW
