Security Basics mailing list archives
RE: Password Quality checker
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 2 Jan 2007 09:25:32 -0800
Because javascript runs in the browser on the client side, you cannot absolutely rely on it to do input validation -- and under NO circumstances should you rely on it for *authentication*! David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Arun Bhaskar Sent: Friday, December 29, 2006 2:35 AM To: Johnny Wong Cc: security-basics () securityfocus com Subject: Re: Password Quality checker Hi Johnny, You can try using javascript functions to validate input (i.e. user passwords ) in a text field based on your password complexity requirements and put the page on your internal web server. Regards, Arun Bhaskar Kondoth Johnny Wong wrote:Hello Nic, Thanks for the reply. I was looking for a tool for users to check whether the passwords they choose meet the organization'spolicy. Nota tool to test the strength of the existing passwords. Mostlikely aweb portal for them to enter the "potential" password, andthe portalwill determine whether it meets the standards. Rgds, JW At 08:48 AM 26/12/2006, Nic Stevens wrote:You cannot check the quality of "Unix/Linux" passwords as it's a one-way encryption so it must be done at the time the user(or admin)sets the password. With PAM based authentication on *nix there are ways of enforcing stronger passwords standards than the default. As far as Windows goes I have no experience with security. -Nic Johnny Wong wrote:Hello all, I was wondering if your organization deploys any password quality checking tool to help users select policy-compliantpasswords? Be itweb-based or client based. I am thinking what type ofrequirementsdo you use to select such tools, and what are theexamples out there?My thoughts: 1) It should not store the user's passwords (be it pass or fail) 2) It should be able to handle complexity rules (or align with Windows GPO) 3) It should also work with Unix/Linux passwords Thanks, JW-- Captiain! We've been hit. The only damage so far is theself-destructmechanism which, apparently has destroyed itself.
Current thread:
- RE: Password Quality checker David Gillett (Jan 02)