comment on

I'm in the middle of rewriting some authentification and user managment stuff of a website a friend of mine runs. That site even displays a "password strength meter" in the "Change password" and "Register" dialogs.

But here's where the problem lies. The original developer, thankfully fired for incompetence regarding IT security, thought that any password that holds a "special" character is absolutely secure.

Similar assumptions were made about password storage, a quick eyeballing through the ROT13 "encrypted", flat file "database" revealed the shocking truth. No hashes but plaintext passwords. And most of them could be cracked by my baby sisters without consulting Google. You know, things like "god!" or where the password is the same as the username with a question mark added.

While i managed to fix all of that (using a database, salted password hashes, etc.), i still have a little problem about the password strength calculation.

Since i'm redoing the whole kit and kaboodle anyway, i'd like your suggestions.

What consists of a good password?
How do i detect username-as-password obfuscations?
I like to display some kind of feedback (via AJAX) about the password strength when the user input the password. How do i do this without giving the user an easy way to figure out how to game the system?
I searched but couldn't find a nice, fitting module on CPAN. Did i overlook something?

BTW, i have read some articles by Bruce Schneier. That guy really goes on and on and on and on about how to make safer, much more complicated passwords and how to protect them. And then he says we should do away with password masking and display them as plain text on the screen (making them easy prey for shoulder surfing). So i'd rather hear from people who, just like me, sometimes get out of their office and have to deal with real people and encounter real life practical problems...

Note: Due to the ongoing security issues, i can't link to the site in question.

"You have reached the Monastery. All our helpdesk monks are busy at the moment. Please press "1" to instantly donate 10 currency units for a good cause or press "2" to hang up. Or you can dial "12" to get connected directly to second level support."

In reply to Password strength calculation by cavac

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.