Password requirement - Not be a dictionary word or proper name_问答_开发者

Password requirement - Not be a dictionary word or proper name

开发者 https://www.devze.com 2023-03-12 00:45 出处：网络

I have to create a password strength checker the only requirement that I\'m not 开发者_开发技巧able to get is \"Not be a dictionary word or proper name.\" I have a 60MB text file with a ton of words.

相关专题：security

I have to create a password strength checker the only requirement that I'm not 开发者_开发技巧able to get is "Not be a dictionary word or proper name." I have a 60MB text file with a ton of words. For example, when you use "test" it fails properly but if you use test123 it passes when it should fail.

My code for that is:

int counter = 0;
string line;
while ((line = file.ReadLine()) != null)
{
    if (line.Contains(pwd)) { return false; }
    counter++;
}

How would I parse a user's password to pull out a dictionary word?

Or should I try to implement a regex to force every 3rd character to be either a number or special character and avoid the dictionary file altogether? Thanks.

Why you don't put that in SQLite and do simple queries?

What you really want is calculating the entropy of the password. Analyzing which subset of characters or if dictionary words are used are just tools to better estimate the entropy.

The problem with dictionary words is that they're associated entropy is often very low in compared to their length. So you should add less entropy for dictionary words than for apparently random characters.

Your code is virtually a denial of service engine for your app. Import the dictionary to a SQL database and then use a SQL query to do your word matching.

IF NOT EXISTS (SELECT Word FROM Dictionary WHERE Word LIKE '%' + @Passowrd + '%')

Would do the job.

As other people mention you seem to be trying to ban passwords that contain dictionary words, this is pretty daft and confusing for your users and does not really offer added security. You really should only be looking for password that ARE dictionary words i.e. test is bad but test123 is fine. If so the SQL would be even more efficient:

IF NOT EXISTS (SELECT Word FROM Dictionary WHERE Word = @Passowrd)

If Word is loaded onto your server, then you can use the internal dictionary to check against, or use a dictionary web service like this to see if a word exists in a dictionary. If results are returned, then you can assume that it is a dictionary word.

I would store the words into a list on the program start and work from there.

List<String> words = new List<String>();

while (!file.EndOfStream)
{
    line = file.ReadLine();
    words.AddRange(line.split(","); //assuming a csv file.
}

bool passWordCheck()
{
    foreach(string x in words)
    {
        if (passWord.contains(x))
            return false;
    }
    return true;
}

You should really listen to the Security Now Podcast Episode #303. Password strength is heavily discussed.

Also see: https://www.grc.com/haystack.htm this should point you in the right direction.