On 5/8/07, geni <geniice(a)gmail.com> wrote:
On 5/8/07, Joe Szilagyi <szilagyi(a)gmail.com>
wrote:
Would it be overkill from the perspective of the
number of users/scope of
users to implement something that checked the strength of passwords as
entered? Some websites feature tools that report on the perceived strength
of your password as entered, typically from weak to decent to moderate to
good to strong, or similar wording.
Perhaps something like that, with the Wikimedia software having an option to
simply refuse acceptance of anything less than 'moderate' value? You can
have it check at each login, and in the event that it fails the 'moderate'
test, force a password change. Since you in turn can't now enter a crap
password, it will push everyone to add a decent password. Annoying, once,
but after that... all users are covered, and this should no longer require
constant monitoring afterwards (ideally).
So far every password testing website the IRC crew tested rated
Password123456 as at least moderate.
Even assuming non-case sensitive, "password123456", when combined with
just about any system to limit the ability of automated cracking
software, should be good enough to stop the kinds of attacks that are
allegedly taking place.
Anthony