Hi!
I would be good to run a password strength checker at
login time as
well, as the software should, for a brief moment, have a copy of the
plaintext password that can be scanned, before it hashes it for checking
and forgets the plaintext.
Another measure may be to have a bot that scans the accounts
periodically (maybe for starters only on admin, etc. high privilege
accounts) and alerts on weakly-passworded ones? We know bad (or at least
greyhat) guys do that, so maybe to prevent it we should try using the
same approach?
--
Stas Malyshev
smalyshev(a)wikimedia.org