RE: Password Quality checker

["David Gillett" <gillettdavid () fhda edu>]

  Because javascript runs in the browser on the client side, you
cannot absolutely rely on it to do input validation -- and under
NO circumstances should you rely on it for *authentication*!

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Arun Bhaskar
> Sent: Friday, December 29, 2006 2:35 AM
> To: Johnny Wong
> Cc: security-basics () securityfocus com
> Subject: Re: Password Quality checker
>
> Hi Johnny,
>
> You can try using javascript functions to validate input 
> (i.e. user passwords ) in a text field based on your password 
> complexity requirements and  put the page on your internal web server.
>
> Regards,
> Arun Bhaskar Kondoth
>
> Johnny Wong wrote:
> > Hello Nic,
> >
> > Thanks for the reply. I was looking for a tool for users to check 
> > whether the passwords they choose meet the organization's 
> policy. Not 
> > a tool to test the strength of the existing passwords. Most 
> likely a 
> > web portal for them to enter the "potential" password, and 
> the portal 
> > will determine whether it meets the standards.
> >
> > Rgds,
> > JW
> >
> > At 08:48 AM 26/12/2006, Nic Stevens wrote:
> > > You cannot check the quality of "Unix/Linux" passwords as it's a 
> > > one-way encryption so it must be done at the time the user 
> (or admin) 
> > > sets the password. With PAM based authentication on *nix there are 
> > > ways of enforcing stronger passwords standards than the default.
> > > As far as Windows goes I have no experience with security.
> > >
> > > -Nic
> > >
> > >
> > > Johnny Wong wrote:
> > > > Hello all,
> > > >
> > > > I was wondering if your organization deploys any password quality 
> > > > checking tool to help users select policy-compliant 
> passwords? Be it 
> > > > web-based or client based. I am thinking what type of 
> requirements 
> > > > do you use to select such tools, and what are the 
> examples out there?
> > > > My thoughts:
> > > > 1) It should not store the user's passwords (be it pass or fail)
> > > > 2) It should be able to handle complexity rules (or align with 
> > > > Windows GPO)
> > > > 3) It should also work with Unix/Linux passwords
> > > >
> > > > Thanks,
> > > > JW
> > >
> > >
> > > --
> > > Captiain! We've been hit. The only damage so far is the 
> self-destruct 
> > > mechanism which, apparently has destroyed itself.