I like the scoring idea, but there are actually programs that will allow you to decide how many lowercase, uppercase, and special characters will be used in a randomly generated password.
I can't find the link to the one I saw recently, but it was written by some German guy. Daniel > -----Original Message----- > From: Chris Berry [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 12, 2002 4:00 PM > To: [EMAIL PROTECTED] > Subject: Password Scoring > > > > First, I want to thank everyone who had advice and comments on my > previous password complexity vs. length post. > I'm trying to come up with an easier way for my users to create secure > (but memorable) passwords. In the past I specified some complexity rules > requireing lowercase, uppercase, numbers, and symbols, no dictionary > words, can't be your birthday, etc. etc. However my users have been > complaining that they had trouble both making and remembering these. (Sad > to say the previous administrator let them do whatever they wanted in this > area, leading to some shockingly bad passwords.) > After reading all I could find on the subject and doing some testing > with LC4 from @Stake, I've come up with the following solution, on which > I'd like some comments. First I set all the computers on the network to > use NTLMv2 exclusively refusing LM and NTLM responses so that I shouldn't > have to worry about the 7/14 character hash problem intrinsic in LM or the > encryption lenght weakness in original NTLM. Second, I've written an > application in JAVA (A first for me, especially the OOP part, I learned to > program back in the dawn of time circa late 80's, didn't think fortran or > commodore basic would be a good choice though, *grin*) Basically this > program does two things (which I haven't been able to find in any other > products, and believe me I looked, why reinvent the wheel?) First, it can > generate random passwords (which other programs can do, but not with this > kind of granularity) by allowing you to specify how many of which kind of > five types of characters (lowercase, uppcase, numbers, symbols, and > windows extended ASCII accessed with the alt key) Second, the program can > check user entered passwords in a text box (although not the extended > ASCII, coudn't figure out how to make the text box allow you to type them > in) Third, and most importantly, I created a scoring system so that > passwords of various types can be compared. I'm interested to know what > you all think of it, so I'm going to list it below. Each character is > scored seperately, then some penalties are applied. > > lowercase=26 points > upppercase=52 points > number=62 points > symbol=94 points > EXT ASCII=144 points > > any password that doesn't have lowercase divide by 1.25 > ditto for each of the other types > any password that doesn't have one from each category is divided by 2 > I felt a good standard windows password would have 1 lower, 2 upper, 2 > numbers, 1 symbol, and one EXT ASCII so I added 8 points to make this a > nice number a 500 (instead of 492). > search the string and subtract half points for each character that is part > of a dictionary word or common name. > > Here are some examples so this all makes sense > > gf04TC: 500 Points > password -71 Points > B3acH_L0ver2 460 Points > theusgotbeatbygermany 2 Points > don't-want-to-WORK 290 Points > VX.24tf 307 Points > SO2+nose=BAD_SMELL4ME 603 Points > > Basically the idea is so that you can just set a minimum point total > and pretty much just let your users make whatever they want. I feel 500 > is a good amount for a windows password. Comments anyone?