Simple Password Strength Checker Review Help needed

Paul Rubin no.email at nospam.invalid
Wed Jan 27 03:03:36 EST 2010 

Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:
> I think you're missing a word there. Relatively secure perhaps?

Yes, something like that, oops.

> The problem is that most users will not be a little bit careful. They 
> will stick the password on a Post-it note on the side of the monitor,...

Right, that's what I mean about careful.  But, people do generally
develop skills at keeping important bits of paper (like their drivers'
license) safe.

> Besides, with the number of on-line identities and passwords many people 
> need, you'll need a separate wallet just for the passwords. I have 
> something of the order of 80 or 90 passwords written down..

I don't have anywhere that many important ones.  For the less important
ones I just use my browser's auto-fill feature (i.e. the passwords are
stored in the browser).  I generate important ones with a program (2-6
words selected at random from a dictionary).  When I generate a new one,
I write it on a slip of paper that I keep in my pocket and refer to as
necessary.  After referring to the paper a few times I usually remember
the password and don't need the paper any more, so I dispose of it.

> So I need at least one (and likely more) password I can keep in my
> head, so I can encrypt my list of rarely-used passwords. 

If there's just one, and it's a phrase, you can remember it.

> since I'm really bad at judging randomness (like nearly all humans),

Right, humans are no good at generating or judging randomness.  It's
best to use an entropy source.  www.diceware.com explains how to do it
with dice and a wordlist they supply.  I use a program something like
the following instead:

   from math import log
   dictfile = '/usr/share/dict/words'

   def genrandom(nbytes):
       with open('/dev/urandom') as f:
           return int(f.read(nbytes).encode('hex'), 16)

   def main():
       wordlist = list(x.strip() for x in open(dictfile) if len(x) < 7)
       nwords = len(wordlist)
       print "%d words, entropy=%.3f bits/word"% (
           nwords, log(nwords, 2))
       print '-'.join(wordlist[genrandom(10)%nwords] for i in xrange(5))

   main()

You can also use the diceware word list instead of the unix wordlist,
of course.

More information about the Python-list mailing list