First, I want to thank everyone who had advice and comments on my
previous password complexity vs. length post.
I'm trying to come up with an easier way for my users to create secure
(but memorable) passwords. In the past I specified some complexity rules
requireing lowercase, uppercase, numbers, and symbols, no dictionary
words, can't be your birthday, etc. etc. However my users have been
complaining that they had trouble both making and remembering these. (Sad
to say the previous administrator let them do whatever they wanted in this
area, leading to some shockingly bad passwords.)
After reading all I could find on the subject and doing some testing
with LC4 from @Stake, I've come up with the following solution, on which
I'd like some comments. First I set all the computers on the network to
use NTLMv2 exclusively refusing LM and NTLM responses so that I shouldn't
have to worry about the 7/14 character hash problem intrinsic in LM or the
encryption lenght weakness in original NTLM. Second, I've written an
application in JAVA (A first for me, especially the OOP part, I learned to
program back in the dawn of time circa late 80's, didn't think fortran or
commodore basic would be a good choice though, *grin*) Basically this
program does two things (which I haven't been able to find in any other
products, and believe me I looked, why reinvent the wheel?) First, it can
generate random passwords (which other programs can do, but not with this
kind of granularity) by allowing you to specify how many of which kind of
five types of characters (lowercase, uppcase, numbers, symbols, and
windows extended ASCII accessed with the alt key) Second, the program can
check user entered passwords in a text box (although not the extended
ASCII, coudn't figure out how to make the text box allow you to type them
in) Third, and most importantly, I created a scoring system so that
passwords of various types can be compared. I'm interested to know what
you all think of it, so I'm going to list it below. Each character is
scored seperately, then some penalties are applied.
lowercase=26 points
upppercase=52 points
number=62 points
symbol=94 points
EXT ASCII=144 points
any password that doesn't have lowercase divide by 1.25
ditto for each of the other types
any password that doesn't have one from each category is divided by 2
I felt a good standard windows password would have 1 lower, 2 upper, 2
numbers, 1 symbol, and one EXT ASCII so I added 8 points to make this a
nice number a 500 (instead of 492).
search the string and subtract half points for each character that is part
of a dictionary word or common name.
Here are some examples so this all makes sense
gf04TC: 500 Points
password -71 Points
B3acH_L0ver2 460 Points
theusgotbeatbygermany 2 Points
don't-want-to-WORK 290 Points
VX.24tf 307 Points
SO2+nose=BAD_SMELL4ME 603 Points
Basically the idea is so that you can just set a minimum point total
and pretty much just let your users make whatever they want. I feel 500
is a good amount for a windows password. Comments anyone?