>Hi Everyone!
>
>Hope everyone had a great weekend!
>
>Had a questions for you password gurus. We are wanting to implement "strong" passwords in our applications and as I've been searching the internet I've not yet found any real standardizations for what constitutes the strength of a password. Does anyone know if there is some place that this is defined or is it just left up to the individual as to what constitues weak, poor, fair, good, strong, excellent, etc?
>
>Thanks for your input!
The closest I've found to a "password strength" calculation is the stuff NIST proposed based on entropy (measurement of the inherent uncertainty in something). Have a read through Appendix A in the following doc (starts on page 97 of the pdf)...
http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdfNow, you'll note that when dealing with User generated passwords (as opposed to randomly generated passwords) some of the entropy bonuses NIST gives are based on the password composition rules you enforce on the users. While this makes the entropy value only partially figured based on the user's password selection it is nice because it shows how implementing a few rules can build in a good deal of entropy by default.
There are a lot of things that are too subjective to be captured by a mere entropy rating and you'd need to decide which entropy minimums reach your opinion of weak, poor, fair... etc. Flawed as it is, it's pretty good when compared to the available alternatives. It'a good doc and lots of cool stuff in it - I encourage you to check it out if you get a chance.
