Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 21986 ideas, 135057 comments, 2615221 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #5682: Password strength

Written by fordplay the 25 Mar 08 at 12:38. Related project: Gnome. Status: New
Rationale
Warn users if they try to use a weak password. In the style of google account creation.

I originally thought that this would be good for the users login password. However, possibly this could be implemented for all passwords system wide.


Developer comments
With our automatic installation of wordlists through language-support this is actually feasible with cracklib. In the installer environment we don't have localized wordlists, but even with just the English one, cracklib is pretty useful and it does some statistical tests (independent from wordlists), too.

Also, the existing checks in PAM could probably do with an overhaul (IIRC they complain if you use a password with less than 6 characters or so, but they do not do any entropy testing, like usage of special chars, etc.)

359
votes
up equal down
Solution #1: Auto-generated solution of idea #5682
Written by fordplay the 25 Mar 08 at 12:38.
Ubuntu Brainstorm was updated in January 2009. Since the idea #5682 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

Propose your solution

Attachments
No attachments.


Duplicates


Comments
Auzy wrote on the 25 Mar 08 at 13:13
I may be wrong, but I think this is a dupe of http://brainstorm.ubuntu.com/idea/1198/

Eldmannen wrote on the 25 Mar 08 at 19:25
It could also be a right-click option with a context menu, and you select "Verify password strength".

spyyder wrote on the 25 Mar 08 at 19:31
System wide implementation would be nice, that way developer could use it in their programs.

Eldmannen wrote on the 25 Mar 08 at 21:58
spyyder,
Indeed.

It could automatically be applied for all software that use a "password field", or as an optional feature to be called.

fordplay wrote on the 26 Jun 08 at 09:58
The strength could be determind using a simple points system. For example this 6 point system:-

1 point for password 6 or more characters
2 points for passwords 8 or more characters
2 points for passwords that contain letters and numbers
1 point for containing a capital letter
2 points for more than 1 capital letter
-1 point for repeatition of characters, more than twice.
-2 points for password containing words in available wordlists.
-2 point for begining a popular password, stored in a new popular passwords wordlist.

Results:-
qwerty1234 = -2, 2 points for containing letters and number and -2 for qwerty being in an easy to guess password list and -2 for 1234 being in an easy to guess password list.

BBslwys90 = 6, 2 points for being more than 8 characters, 2 points for containing numbers and letter, 2 points for containing 2 uppercase letters.


sandoz wrote on the 30 Jun 08 at 08:41
@fordplay:
Your system unfortunately discriminates against other methods of password picking. E.g. the Diceware-method. (see http://en.wikipedia.org/wiki/Diceware )

The advantage of the Diceware-method is that you can calculate the strength of the password and that it's using a strongly randomized password picking procedure. For usability reasons it operates with dictionary words, resulting in long, but easy to remember passwords/passphrases.

With you system, those strong passphrases would be voted negative, for each word found in the wordlists.

So you should add a rule which increases the points with increased length of the password (above 8 characters) to compensate that.

And you should modify your rule, that it is used only for the first two/three words found.

Just my two cents.

fordplay wrote on the 1 Jul 08 at 11:17
@sandoz

Good point. My system certainly needs abit of work. However, I feel that something similar would be good enough to remind users that '1234' or 'password' is not a good password.

Some further read on password strengh.
Leaked password analysis.
http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis -of-40,000-leaked-MySpace-passwords.html

Ajax version of something similar
http://phiras.wordpress.com/2007/04/08/password-strength-meter-a-jquery-plugin/

yzarc wrote on the 6 Aug 08 at 12:25
please don't, if I was a newbie decided to give linux a try by ubuntu and must build a alien password I just give up after the third attempt or just format the HD when I forgot the password. the people who needs strong passwords know this, don't make the life harder for my "grandmother" :D.


Post your comment