Hi All,

I thought I would share my fairly agricultural attempt at password strength testing. Attached are two zip files:

1. PasswordTester.zip (A5 Project)
2. PasswordTesterddl.zip (SQL Script file)

The Alpha project has a single web component that allows the user to enter a password and see a color bar display of its strength.

The evaluation is being performed by a UDF (user defined function) in MSSQL as called by an ajax callback and some javascript.

The SQL UDF encapsulates the rules for evaluating password strength and returns an integer. The A5 component can use the returned integer for the display, show/hide, enable/disable logic. For instance you can set the 'Confirm Password' control to only enable when the password strength is 4.

The SQL DDL Script creates two tables as well:
1. password_chars: a list of all characters acceptable for inclusion in a password
2. password_blacklist: a list of all blacklisted passwords

Before evaluating the password strength, the UDF checks to see that all entered characters are in the 'password_chars' table and that the password is not in the password_blacklist.

The actual evaluation is based on 5 characteristics; number of Upper Case Letters, number of Lower Case Letters, Number of numbers, Number of Special Characters. A bonus point is awarded if the password exceeds the minimum length by at least two characters.

On current UDF settings, a password is considered very strong if:
1. It has a minimum of 10 Characters (range is 8-14) AND
2. A minimum of 1 Upper Case Letter AND
3. A minimum of 1 Lower Case Letter AND
4. A minimum of 1 Numeric AND
5. A minimum of 1 Special Character

If this is of use to anyone, then please note the following:
1. I strongly advise you to customise the UDF maths and minimums to ensure that the resulting password is sufficiently strong for your application.
2. The password is evaluated at every key stroke and by a server side process. This implies that, unless you are running SSL, an un-encrypted password string is being sent from browser to server. This may be an unacceptable security risk so please evaluate and customise accordingly.
3. The password blacklist provided has 66000 words which are easily cracked though brute force. However I make no claim that this list is current and recommend you scout around the net for updates.

Lastly the SQL is fairly basic and I sure it can be improved on. I have heard of regular expression based testing which is far more compact but perhaps less flexible re blacklists etc.

So any suggestions and improvements welcomed.

Kind Regards