On 5/8/07, geni geniice@gmail.com wrote:
On 5/8/07, Joe Szilagyi szilagyi@gmail.com wrote:
Would it be overkill from the perspective of the number of users/scope of users to implement something that checked the strength of passwords as entered? Some websites feature tools that report on the perceived strength of your password as entered, typically from weak to decent to moderate to good to strong, or similar wording.
Perhaps something like that, with the Wikimedia software having an option to simply refuse acceptance of anything less than 'moderate' value? You can have it check at each login, and in the event that it fails the 'moderate' test, force a password change. Since you in turn can't now enter a crap password, it will push everyone to add a decent password. Annoying, once, but after that... all users are covered, and this should no longer require constant monitoring afterwards (ideally).
So far every password testing website the IRC crew tested rated Password123456 as at least moderate.
Even assuming non-case sensitive, "password123456", when combined with just about any system to limit the ability of automated cracking software, should be good enough to stop the kinds of attacks that are allegedly taking place.
Anthony