aC forum: Password audit?

Post #3 by kthomas

kthomas — Wed, 30 Jul 2008 18:47:44 CDT

Yeah, I recently had to "re-register" for the UCB alumni site, and not only did it give me a new (entirely random characters) username, it forced a 10-character minimum password with requirements for letters, numbers, caps and non-caps, etc. What a burden for a site I log into once every two months!

In this case, mostly what I was looking for, after having one "break in," was a simple audit for passwords that were too obvious (clients' first initial plus last name), or duplicate passwords across the same company (the final I can check manually, of course).

I'm all for education, but given a client base with multiple employees with various levels of experience, it's clear to me that few are going to use something like the MS tool.

Now OpenID... openID... OpenID... !

Post #2 by Ilija Studen

Ilija Studen — Wed, 30 Jul 2008 00:28:10 CDT

To check whether user passwords are strong enough? No, there is not. Existing passwords cannot be extracted because they are digested with sha1.

What you can do is to tell your user what makes a good password and than point them to one of many password checker websites (here's one by Microsoft) to test strength of their password.

Just a couple of days ago I had a discussion with a friend and she told me that it was hard for her to figure out a password that was strong enough to pass some stupid registration form. Some techie thought it was super important to hassle her about here password before she even used the system. I told her how I make passwords - I pick an object I bought, name it, than add it's price and finally one of its obvious properties. For instance:

iMac189Kwhite24

Now copy that password and check it with Microsoft password checker. Maybe that can help....

Post #1 by kthomas

kthomas — Tue, 29 Jul 2008 21:30:31 CDT

Is there a simple way to conduct password security audits?