On 04/16/2011 08:40 AM, AJ ONeal wrote: > This is near and dear to my heart so I had to evangelize: > http://www.baekdal.com/tips/password-security-usability
I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Would it be reasonable to score based on the number of unique characters in the password? - "abc" gets 3 - "aaa" gets 1 - "this is fun" gets 8 - "J4fS<2" gets 6 - "abcdefgh" gets 8 This was OK until I got to "abcdefgh", which should have a very low score. Maybe I could fix that by not increasing the score for obvious character sequences (either alphabetical or QWERTY-style). Then "a1b2c3d4" would still get too high a score, which I might fix by detecting interleaved sequences as well. What about long words? The word "mathematically" has 14 characters and would score 9 using the unique character count algorithm, but any dictionary word is quite insecure. I can't just look for words in a dictionary, since names and foreign words are equally insecure, so it would be unreasonable to compile a list of all common words worldwide. Maybe the algorithm should look for word separators like spaces and dashes, then score each word separately and multiply the scores of all the words. Combining that with sequence detection: - "abc" gets 1 - "aaa" gets 1 - "this is fun" gets 4 * 2 * 3 = 24 - "J4fS<2" gets 6 - "abcdefgh" gets 1 - "a1b2c3d4" gets 2 - "mathematically" gets 9 - "i loved what i had for breakfast" gets 1*5*4*1*3*3*8 = 1440 This is looking better, but I still want "J4fS<2" to get a higher score than "mathematically". Maybe the algorithm should multiply the word score by the number of character classes it contains. "J4fS<2" contains 4 character classes (upper case, lower case, digit, and symbol), so it gets a score of 6 * 4 = 24. OTOH, "Mathematically" would then get 18, so if a word contains only letters, I don't want to boost that word's score. Does anyone have better suggestions? Or better... a complete password scoring algorithm? :-) Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */