More importantly, why isn't SSO being used instead? And in the rare case that authorization depends on discrete authentication, what is the password being used for?
If it's a *bank password*, then J4fS<2 is terribly insecure. He has it written in his wallet. (My bank requires a short (6 min, 8 max) password with randomness. My muscle memory knows how to type it on a 100% full-sized qwerty keyword but I don't actually remember what it is, just how my fingers move. For the times when I'm mobile or using an 80% size keyboard I have to reach in to find it) Actually, all bank passwords are meaningless because every bank I've ever used asks the same 4 questions. A quick google search reveals that on facebook he's listed his mother's maiden name. His google profile shows that he's from Newport. He just tweeted a pic of spot, his dog. If it's a *corporate password*, J4fS<2 is terribly insecure. She has it written on a sticky on her monitor. It's also in the meeting room whiteboard. (Just go to a user-group meeting hosted at a medium-sized business some time) Generally speaking, you can just call the secretary, say that you lost your sticky with the IT guy's number. Wait until the end of the month and then call the IT guy and tell him that you got locked out trying to put in Thursday's password after you were forced to reset it Friday and forgot it over the weekend. If it's *e-mail*, the strength of the password is incredibly important, but J4fS<2 might work because it is typed every few days... just difficult to type on a mobile device. With the e-mail password you can get the plain-text password sent to you from any blog or like account. Then you can log into the bank account as well - even if you are too lazy for a quick google search. Furthermore, you can lock the user out so that she can't reset her bank password. The strongest password is one that you don't write down or give out. Mathematically fits the bill in my book. AJ ONeal On Sat, Apr 16, 2011 at 12:41 PM, Shane Hathaway <sh...@hathawaymix.org>wrote: > On 04/16/2011 08:40 AM, AJ ONeal wrote: > >> This is near and dear to my heart so I had to evangelize: >> http://www.baekdal.com/tips/password-security-usability >> > > I want to include this idea in the password meters I create for web > applications. I need a better password scoring algorithm. I don't want to > *require* any minimum password complexity (other than a minimum password > length), but I do want to help the user choose a good password. > > Would it be reasonable to score based on the number of unique characters in > the password? > > - "abc" gets 3 > - "aaa" gets 1 > - "this is fun" gets 8 > - "J4fS<2" gets 6 > - "abcdefgh" gets 8 > > This was OK until I got to "abcdefgh", which should have a very low score. > Maybe I could fix that by not increasing the score for obvious character > sequences (either alphabetical or QWERTY-style). Then "a1b2c3d4" would > still get too high a score, which I might fix by detecting interleaved > sequences as well. > > What about long words? The word "mathematically" has 14 characters and > would score 9 using the unique character count algorithm, but any dictionary > word is quite insecure. I can't just look for words in a dictionary, since > names and foreign words are equally insecure, so it would be unreasonable to > compile a list of all common words worldwide. > > Maybe the algorithm should look for word separators like spaces and dashes, > then score each word separately and multiply the scores of all the words. > Combining that with sequence detection: > > - "abc" gets 1 > - "aaa" gets 1 > - "this is fun" gets 4 * 2 * 3 = 24 > - "J4fS<2" gets 6 > - "abcdefgh" gets 1 > - "a1b2c3d4" gets 2 > - "mathematically" gets 9 > - "i loved what i had for breakfast" gets 1*5*4*1*3*3*8 = 1440 > > This is looking better, but I still want "J4fS<2" to get a higher score > than "mathematically". Maybe the algorithm should multiply the word score > by the number of character classes it contains. "J4fS<2" contains 4 > character classes (upper case, lower case, digit, and symbol), so it gets a > score of 6 * 4 = 24. OTOH, "Mathematically" would then get 18, so if a word > contains only letters, I don't want to boost that word's score. > > Does anyone have better suggestions? Or better... a complete password > scoring algorithm? :-) > > Shane > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
