Ineiev wrote: > pwgen -1 -s 8 10000|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done > |grep ^OK|wc -l > > 8698
Because traditional passwords were often eight characters we still often pick passwords that are eight characters long. So 87% of random passwords will be accepted. 13% will not! That still seems to be a fairly high rejection rate to me. > pwgen -1 -s 9 10000|while read i;do echo $i|pwqcheck -1 min=24,24,11,8,7;done > |grep ^OK|wc -l > > 9334 By pushing one more character to nine we are down to a 7% rejection rate. That still isn't great. But it is significantly better than the 13% of eight characters. And that is just randomly generated. People thinking up characters will not produce random enough output. Some people will always think up ones in the accepted set. Some people will always think up ones in the rejected set. Because people are poor entropy generators. > Of course, an independent generator will produce some passwords > that don't pass pwqcheck criteria, but IMHO the results > are reasonable (provided the goal is to eliminate weak passwords > rather than to accept all pwgen-generated ones). I had two goals with my message. One is that I think the rejection rate (which you so nicely determined experimentally as 13%, thank you) is quite high, too high, using pwqcheck, and I would like to reduce it. Two is that pwqcheck is just one way of checking the plain text of a password. I can only believe that there has been a lot of energy expended looking at this task in projects world wide and that there may be a better way of ensuring strong passwords. I have looked at the problem previously but don't have a great answer. People tend to create poor passwords and if you try to educate them to produce better onces then they become frustrated that it is too much work. I put the question out there hoping that someone would already know a nice way to do this and then we might incorporate it into the Savannah site. Nothing ventured then nothing gained. Bob
