General discussion

Locked

Password quality algorithm

By lal ·
To improve the authentication process to access an aplication, I am looking for examples of password quality algorithms to use for password generation and changing. That is, each user could be assigned a minimum password quality value, such that a new password would have to meet or exceed that quality scale value to be accepted.
Lotus Notes has a process very much along this line. However, there are no details on how the quality algorithm is designed. Factors which would increase password quality might include password length, mixed case, numeric and special characters, etc. Any suggestions?

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Password quality algorithm

by Joseph Moore In reply to Password quality algorith ...

Well, my suggestion is for you to read about the Windows password complexity filter:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q161990
(please remove any spaces)

hope this helps

Collapse -

Password quality algorithm

by lal In reply to Password quality algorith ...

Question was specific to algorithms such as that is Lotus Notes - which specifically assign a quality value to a password - not simply a password filter.

Collapse -

Password quality algorithm

by MadMark In reply to Password quality algorith ...

For examples of algorithms you'd have to get into discussions with programmers and authors. It's unlikely that IBM/Lotus would divulge much, since these are the keys to their kingdom. Try poking around some of the university websites. I found a lot there, but I'm no programmer. Searches on YAHOO and GOOGLE turned up quite a bit.

Here's a good short article that mentions PASSPROP, a command line tool. Check it out:
http://www.microsoft.com/ntserver/techresources/security/password.aspAnd some good info from SANS on W2K and forcing complex passwords using group policies:
http://rr.sans.org/win2000/group_policy.php

Collapse -

Password quality algorithm

by lal In reply to Password quality algorith ...

Question was specific to algorithms such as that is Lotus Notes - which specifically assign a quality value to a password - not simply a password filter.

Collapse -

Password quality algorithm

by James R Linn In reply to Password quality algorith ...

Rules we use:

Minimum 8 charecters
At least one of each: Alpha Charecter, Numeric Charecter, Special Charecter
At least one upper case Alpha, and one lower case Alpha
No whole words that are found in dictionary(create your own, add acronyms from your company)

James

Collapse -

Password quality algorithm

by lal In reply to Password quality algorith ...

Question was specific to algorithms such as that is Lotus Notes - which specifically assign a quality value to a password - not simply a password filter.

Collapse -

Password quality algorithm

by SciFiMan In reply to Password quality algorith ...

I agree with James for best practice rules. If your users balk at anything to complex however, remind them with examples that passwords can be secure and memorable if they use their imagination:
four8two
duckS4Soup
Dirt2wallS
bird8WORM

And of course the typical substitution schemes of using something like $ instead of a S, or ! instead of 1's. If your application can't do dictionary checks have it generate a couple random ones for them to choose that don't violate your rules. If one of them is memorable enough users will often choose it as the path of least resistance and avoid thinking too hard.

Collapse -

Password quality algorithm

by lal In reply to Password quality algorith ...

Question was specific to algorithms such as that is Lotus Notes - which specifically assign a quality value to a password - not simply a password filter.

Collapse -

Password quality algorithm

by borco In reply to Password quality algorith ...

Some helpful info about the design of Lotus password quality algorithm can be found at
http://
www-10.lotus.com/ldd/today.nsf/lookup/sep2001

I agree with James, basic rules.
Disagree with dmccarthy. The substitution which suggest is snake oil. Dictionary attack solves it! But it is true, good substitution can help, such as ~ instead a and g instead 1's. The dictionary attack can not solve Caesar encryption :-)

Collapse -

Password quality algorithm

by lal In reply to Password quality algorith ...

The Notes reference was the basis for my question - not an answer. I was asking for examples of algorithms used in implementations such as Notes.

Back to Security Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums