Hi Tauren, I don't have any code for this, but one example I'm happy with that I think is an 'ideal' to base code upon is Passpack's (http://www.passpack.com) password functionality. Passpack is an online password manager that allows you to create (and maintain) very complex passwords without having to remember them (side note: I'm not affiliated in any way with Passpack - I'm just a happy end-user).
Unfortunately they don't make their strength indicator algorithms available, but I suggest that you take a look at their UI for ideas. Anyway, when generating a password, you can choose 1 or more character groups (lowercase chars, uppercase chars, punctuation, etc) and a length. Based on the number of character groups you've chosen and the length you've specified, their strength indicator changes color (red:bad -> yellow:ok -> green:good). To me, this is much nicer and easier to manage than depending upon, say, some crazy regular expression. I would venture that creating an algorithm based on length + # of character groups wouldn't be too hard. I'd _love_ for this to be in Shiro - perhaps encapsulating these kinds of checks plus some help with hashing passwords. Perhaps a new PasswordService? Anyway, I'll probably need to support something like this myself in the not too distant future, so I'd be happy to collaborate with anyone if they have any ideas. Of course, patches to Shiro are very welcome! Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com P.S. We are also using Hibernate Validator at Katasoft as the implementation supporting JSR-303 bean validation annotations. (Note to those not familiar with it - it does not require Hibernate for persistence - it is a separate project by the Hibernate team). I've really enjoyed using it - especially since Spring supports it!
