> The closest I've found to a "password strength" calculation is the stuff NIST proposed based on entropy (measurement of the inherent uncertainty in something). Have a read through Appendix A in the following doc (starts on page 97 of the pdf)...

> http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf

> Now, you'll note that when dealing with User generated passwords (as opposed to randomly generated passwords) some of the entropy bonuses NIST gives are based on the password composition rules you enforce on the users. While this makes the entropy value only partially figured based on the user's password selection it is nice because it shows how implementing a few rules can build in a good deal of entropy by default.

> There are a lot of things that are too subjective to be captured by a mere entropy rating and you'd need to decide which entropy minimums reach your opinion of weak, poor, fair... etc. Flawed as it is, it's pretty good when compared to the available alternatives. It'a good doc and lots of cool stuff in it - I encourage you to check it out if you get a chance.


Thanks for the info Craig! I started reading it and my eyes started crossing and everything was going fuzzy... No, just kidding! Looks like some good stuff that I think I will be able to use.

Also, I downloaded your vfpencryption71.fll and I think we are going to try using that to encrypt and decrypt these passwords once they are created. Thank you very much for making that available! I remember you discussing that at a Foxforward convention a couple years ago and I was really impressed, so I'm excited I'm finally getting to use it.

Take care!