Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > estimate passwords

Reply
Thread Tools

estimate passwords

 
 
Lennart Freyberg
Guest
Posts: n/a
 
      07-04-2004
hi there,

i'm developing a user management interface @work (to allow our users to
change their passwords on solaris, linux, novell & windows through one web
interface).
does anybody of you know a script or a module to estimate passwords? it
shouldn't only check the length of the password but also how strong or how
weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

can anyone help me?

thanx a lot,

lennu


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-04-2004
In article <(E-Mail Removed)-ndh.com>,
Lennart Freyberg <%l%e%n%n%u%@_l_e_n_n_u.$d$e$> wrote:
:i'm developing a user management interface @work (to allow our users to
:change their passwords on solaris, linux, novell & windows through one web
:interface).
:does anybody of you know a script or a module to estimate passwords? it
:shouldn't only check the length of the password but also how strong or how
:weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

Is the input the password itself, or the encrypted password?

Is the result to be returned some kind of numerical result
such as "It may interesting you to know that your password is
about 17% strong", or as in "Someone could probably break your
password in about 38 minutes on s good PC"? Or is the result to
be a "pass/fail" result along the lines of "That password isn't
complex enough, choose another one!" ?


If you are looking for a go/no-go result, then there are a
variety of programs around that can take an input password, pass it
through a bunch of [configurable] translation rules, and give you
an answer.

The particular one I use here is named 'passwd+'. Looks like I
picked it up about 9 years ago from the 'net. I remember that I
fixed a few bugs and added some new kinds of rule processing.
In particular, I added the ability to call an outside program,
and then added a daemon that accepts an encrypted copy of the
password over the 'net and checks that against about 110
wordlists that I put together from various sources (e.g.,
Tolkien, Star Trek, basic Swedish vocabulary -- whatever I could
find.)

I'm sure the field has advanced quite a bit since I did these hacks,

--
So you found your solution
What will be your last contribution?
-- Supertramp (Fool's Overture)
 
Reply With Quote
 
 
 
 
John Bokma
Guest
Posts: n/a
 
      07-05-2004
Walter Roberson wrote:

> Tolkien, Star Trek, basic Swedish vocabulary -- whatever I could
> find.)


Swedish passwords... Now there is an idea

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced Perl programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
 
Reply With Quote
 
John Bokma
Guest
Posts: n/a
 
      07-05-2004
Lennart Freyberg wrote:

> hi there,
>
> i'm developing a user management interface @work (to allow our users to
> change their passwords on solaris, linux, novell & windows through one web
> interface).
> does anybody of you know a script or a module to estimate passwords? it
> shouldn't only check the length of the password but also how strong or how
> weak it is (alphanumeric, not "qwerty", not part of the username, etc.).
>
> can anyone help me?


IIRC, but it has been ages, the pink Camel (Perl "4") book had such a
program. Might have been the cookbook. But anyway, it is a start. You
might start with looking for dictionaries used in brute force attacks,
and make all the entries invalid passwords. The variations are huge,
username, username reversed, part of the username normal, part reversed,
733+ (e.g. j0H|\|6O<M4 )

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced Perl programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
 
Reply With Quote
 
Bob Walton
Guest
Posts: n/a
 
      07-05-2004
Lennart Freyberg wrote:

....
> i'm developing a user management interface @work (to allow our users to
> change their passwords on solaris, linux, novell & windows through one web
> interface).
> does anybody of you know a script or a module to estimate passwords? it
> shouldn't only check the length of the password but also how strong or how
> weak it is (alphanumeric, not "qwerty", not part of the username, etc.).

....
> lennu



CPAN is your friend -- did you check there? You should find things like
the Data:assword::BasicCheck, Data:assword::Check and
Data:assword modules -- and probably some more. One of them might be
what you're looking for.

http://www.perl.com/CPAN/

--
Bob Walton
Email: http://bwalton.com/cgi-bin/emailbob.pl

 
Reply With Quote
 
Tintin
Guest
Posts: n/a
 
      07-05-2004

"Lennart Freyberg" <%l%e%n%n%u%@_l_e_n_n_u.$d$e$> wrote in message
news:(E-Mail Removed)-ndh.com...
> hi there,
>
> i'm developing a user management interface @work (to allow our users to
> change their passwords on solaris, linux, novell & windows through one web
> interface).
> does anybody of you know a script or a module to estimate passwords? it
> shouldn't only check the length of the password but also how strong or how
> weak it is (alphanumeric, not "qwerty", not part of the username, etc.).


I'd write a frontend to npasswd.

http://www.utexas.edu/cc/unix/software/npasswd/


 
Reply With Quote
 
Lennart Freyberg
Guest
Posts: n/a
 
      07-12-2004
Hi Walter,

> Is the input the password itself, or the encrypted password?

Sue me, but it is the password itself. The tools I use to change the
passwords on microsoft ads and novell 4.x nds can't handle encrypted
passwords (but the session will be encrypted through https).

> Is the result to be returned some kind of numerical result
> such as "It may interesting you to know that your password is
> about 17% strong", or as in "Someone could probably break your
> password in about 38 minutes on s good PC"? Or is the result to
> be a "pass/fail" result along the lines of "That password isn't
> complex enough, choose another one!" ?

I am interested in a go/no-go result. The password must fulfill several
properties:
- minimum (and maybe maximum) length
- alphanumeric (more than one numeric or alphabetic char and not only at
the beginning or the end of the password)
I guess the most problematic property is, that it must not consist of
keyword-rows (horizontal like "qwerty" and vertical like "bgt5").
Maybe it's not the strongest password ever, but if it fulfills these
three properties it is strong enough for us (now).

The first two checks are not that hard to write, but I have no idea how
to check the keyword-rows. That's why I am searching for a tool.

Unfortunately I need one to run under Microsoft! The tools I use for
changing the password on Novell NDS only run under Windows and I am not
interested to split the programs of this project onto several computers
with several operating systems. (But I am not happy with that! )

I am sure that most of our users passwords are so weak that I couldn't
sleep well if I would knew them, so the three properties are something
like a first step for us...

Thanks a lot,
Lennart
 
Reply With Quote
 
Lennart Freyberg
Guest
Posts: n/a
 
      07-12-2004
Hi Bob,

I thought I did...
> CPAN is your friend -- did you check there? You should find things like
> the Data:assword::BasicCheck, Data:assword::Check and
> Data:assword modules -- and probably some more. One of them might be
> what you're looking for

.... but maybe I was too blind

Thanks for the hints,
Lennart
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Estimate IFInOctets on multilink interface anti00@poczta.onet.pl Cisco 1 12-01-2005 05:49 PM
cost estimate for a database-driven web site =?Utf-8?B?dmlrdG9yOTk5MA==?= ASP .Net 0 06-05-2005 09:45 PM
cost estimate for a database-driven web site =?Utf-8?B?dmlrdG9yOTk5MA==?= ASP .Net 0 06-05-2005 09:31 PM
Estimate of hours to be spent on a project Bob ASP .Net 31 07-16-2004 03:01 PM
Give me your estimate... MCSE 8 04-05-2004 11:59 PM



Advertisments