I like to display some kind of feedback (via AJAX) about the password strength when the user input the password. How do i do this without giving the user an easy way to figure out how to game the system?

You are worrying about the wrong people.

Let's say you add your strength-ometer.

All your local friendly hacker needs to do is spend 5 minutes, probably less, working out what rules you've used:

All lower -low strength; all upper -low strength; add a cap -a bit better; add a number -better still; add a symbol -better still. Less than 5 still low, 6-7 medium; 8 or more strong.

Now, let's say 1 in 10 of your members are influenced by the widget. You've now decreased the range of possible passwords for those 10% by billions, therefore increased the chances of getting hacked by brute force attack many, many times over.

Any rules reduce the range of possibilities. Any clues you give the hackers increase their knowledge. And they only need one way in.

Well reasoned, but then again I think you're worrying about the wrong kind of attacks. Knowledgeable hackers tuning their bruteforcing software to manually fiddled-out rules would be plausibe for very high value sites, but for your average internet site I tend to agree with JavaFan, it's not gonna happen. The value of these strength-o-meters is just in discouraging people from choosing something that's likely to be among an amateur attackers first (couple thousand) tries. Of course one could just use Crypt::Cracklib and reject the ones that are easily derived from a dictionary word or too short. Technically rejecting anything under 6 characters or so also does nothing else but reduce the number of possibilities but that's just the possibilities that will usually be tried first anyway.

I think you're worrying about the wrong kind of attacks

I'm not worrying about anything. There is no such thing as "the wrong kind of attack". People being people, will reuse the same passwords for different sites.

So, you hack a few "low risk" sites, grab a few thousand userid/password combos and then try them on your real target.

Technically rejecting anything under 6 characters or so also does nothing else but reduce the number of possibilities but that's just the possibilities that will usually be tried first anyway

If I know your site doesn't accept passwords of less that 6 characters, that is somewhere between 782,757,789,696 and 308,915,776 permutations , depending upon what other silly restrictions you have in-place, that I don't have to try. Why make my life easy?

---

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

That almost sounds like you're saying that we should occasionally use an all-lowercase, 5 character password...

I'm guessing that you're taking the assumption that those 10% of people are going to tweak their password until they get a "Strong" result and then quit. And then the space of all weaker passwords is bigger than the space of all "just-barely-strong" passwords.

I would suggest that, instead of just a "weak", "medium" "strong" set, a continuum value may be good. There would then be no natural place to stop improving, and less clustering of the passwords around that point.

Some things to consider in the strength calculation would be

• length (not directly, just as a consequence of adding more credit-worthy password features)
• size of the symbol set
• reduced credit for the first/last character expanding the set (eg: 'Password' isn't much better than 'password', but 'paSswORd' does get full credit for the inclusion of caps)
• reduced credit for substrings that are similar to dictionary words.
• reduced value for date and name substrings
• throw in tests against any common patterns you can think of, like the first couple digits of Pi.

Some things to consider in the strength calculation ...

I stress again. Anything you do to reduce the range of possibilities for passwords, substantially increases your vulnerability!

That's not opinion. Its math.

---

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

What consists of a good password?

What consists of a good password?

But ultimately, it depends on what's at stake. If the expected cost of cracking the password exceeds the value of having the password, the password is strong enough. Which means that for 99% of the website, 2 letter passwords (no digits, case or punctuation allowed), are more than strong enough. But there are also cases where a password alone isn't secure enough. (Some say, good security is based on three pieces of authentication: something you know (password/phrase), something you have (key, RSA number generator), something that's you (fingerprint, voice, retina scan)).

+ +, JavaFan...

    albeit, with one little quibble about a two char p/w being adequate for 99% of www:

That may under-estimate the proportion of malicious folks and graffiti artists who are drawn to some sites.

Cracking an single individual's password, one at a time is normally not an effective strategy for a criminal who is interested in huge financial gain. As we've seen targeting specific individuals (like celebrities) can have significant payback to get that one single account. But that is not, for a website as a whole, the most dangerous thing.

Update: When you get into "passphrases" instead of passwords, like: "MyMomHatedthe'57chevy", showing the printed text on the screen isn't that bad (might be hard for you as the account holder to get it right). This passphrase is very difficult to crack if you only have the encrypted version and are using brute force. If you have a short password and I'm looking at what you type (normal folks don't type that fast), I can know enough to "fill in the blanks" that I don't know by experimentation. I turn around and look the other way when one of my clients has to type an important password.

#!/usr/bin/perl -l

use strict;
use warnings;
use Data::Password::Entropy;
use Data::Password::Manager
    qw(pw_gen
       pw_valid
       pw_obscure
       pw_clean
       pw_get);

my $cleartext = 'Khen1950fx';
my $pass = pw_gen($cleartext);
my $ok = pw_valid($cleartext, $pass); 
print "Valid" if $ok eq 1;
print "Entropy is ", password_entropy($pass), " bits.";
my $clean_text = pw_clean($ok);
[download]

Unfortunately, that particular password would be guessed correctly within the first 10 tries (right after 'password' and '12345'), regardless of how many bits of entropy you think it has.

And in similar vein to Password Strength, see also Diceware.