Simple Password Strength Checker Review Help needed
steven at REMOVE.THIS.cybersource.com.au
Wed Jan 27 08:47:47 CET 2010
On Tue, 26 Jan 2010 23:14:31 -0800, Paul Rubin wrote:
> "Mallikarjun(ಮಲ್ಲಿಕಾರ್ಜುನ್)" <mallik.v.arjun at gmail.com>
>> Since this is my first app/program, can someone review my code (just
>> over 150 lines) and help me improve my programming capabilities
> I didn't look at the code. From a security point of view, the concept
> of "password strength checking" is pretty dubious. If you want secure
> passwords, generate them from a random number source
But why do they need to be random, if password strength is dubious?
> and assign them to
> the users. Don't have the users make up their own passwords. It's
> relatively (compared to using a computer file exposed to remote internet
> attacks) for users to write down the the random passwords on paper, as
> long as they're a little bit careful.
I think you're missing a word there. Relatively secure perhaps?
The problem is that most users will not be a little bit careful. They
will stick the password on a Post-it note on the side of the monitor, or
write it down and lose it, or leave the paper sitting on their desk while
they go to lunch.
> As Bruce Schneier put it:
> "My wallet is already a secure container; it has valuable things in
> it, and I have a lifetime of experience keeping it safe. Adding a
> piece of paper with my passwords seems like a natural thing to do."
And people frequently lose their wallets.
Besides, with the number of on-line identities and passwords many people
need, you'll need a separate wallet just for the passwords. I have
something of the order of 80 or 90 passwords written down, and another
dozen in my head. Because there are so many, I need to keep account
information with them: there's no way I'd be able to remember what the
passwords were for otherwise.
That's way too much to put in my wallet, and even if I did, if I lost it,
I'd lose *everything*. Not only would some stranger likely have access to
all my accounts, but I wouldn't even be able to identify what those
accounts were, let alone authenticate into them.
So I need at least one (and likely more) password I can keep in my head,
so I can encrypt my list of rarely-used passwords. Because it needs to be
something I can remember, it can't be a random string of digits, but it
needs to *look* random. In other words, it needs to be a good password
that is meaningful to me, but not to anyone else, and since I'm really
bad at judging randomness (like nearly all humans), I'll take all the
help I can get.
More information about the Python-list