Simple Password Strength Checker Review Help needed

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Wed Jan 27 02:47:47 EST 2010 

On Tue, 26 Jan 2010 23:14:31 -0800, Paul Rubin wrote:

> "Mallikarjun(ಮಲ್ಲಿಕಾರ್ಜುನ್)" <mallik.v.arjun at gmail.com> 
writes:
>>   Since this is my first app/program, can someone review my code (just
>>   over 150 lines) and help me improve my programming capabilities
> 
> I didn't look at the code.  From a security point of view, the concept
> of "password strength checking" is pretty dubious.  If you want secure
> passwords, generate them from a random number source 

But why do they need to be random, if password strength is dubious?
*wink*


> and assign them to
> the users.  Don't have the users make up their own passwords.  It's
> relatively (compared to using a computer file exposed to remote internet
> attacks) for users to write down the the random passwords on paper, as
> long as they're a little bit careful.

I think you're missing a word there. Relatively secure perhaps?

The problem is that most users will not be a little bit careful. They 
will stick the password on a Post-it note on the side of the monitor, or 
write it down and lose it, or leave the paper sitting on their desk while 
they go to lunch.


>  As Bruce Schneier put it:
> 
>     "My wallet is already a secure container; it has valuable things in
>     it, and I have a lifetime of experience keeping it safe. Adding a
>     piece of paper with my passwords seems like a natural thing to do."

And people frequently lose their wallets.

Besides, with the number of on-line identities and passwords many people 
need, you'll need a separate wallet just for the passwords. I have 
something of the order of 80 or 90 passwords written down, and another 
dozen in my head. Because there are so many, I need to keep account 
information with them: there's no way I'd be able to remember what the 
passwords were for otherwise.

That's way too much to put in my wallet, and even if I did, if I lost it, 
I'd lose *everything*. Not only would some stranger likely have access to 
all my accounts, but I wouldn't even be able to identify what those 
accounts were, let alone authenticate into them.

So I need at least one (and likely more) password I can keep in my head, 
so I can encrypt my list of rarely-used passwords. Because it needs to be 
something I can remember, it can't be a random string of digits, but it 
needs to *look* random. In other words, it needs to be a good password 
that is meaningful to me, but not to anyone else, and since I'm really 
bad at judging randomness (like nearly all humans), I'll take all the 
help I can get.


-- 
Steven

More information about the Python-list mailing list