BMaximus has asked for the wisdom of the Perl Monks concerning the following question:

I've looked high and low all over PM and CPAN for a module that checks passwords to see if they're safe against a dictionary attack. Is there such a module? I hate reinventing the wheel.


Replies are listed 'Best First'.
Re (tilly) 1: Checking how safe a given password is.
by tilly (Archbishop) on Nov 13, 2001 at 07:18 UTC
    By coincidence one of the newest modules on CPAN is Crypt::Cracklib, an interface to cracklib which is a well-known C library that does exactly what you want.

    That said, I have not used this module, and it looks early alpha.

    I am more tired than I thought. I horribly misread the timestamp. This module has been around for ages. Still no idea how well it works.

      My thanks tilly. I'll post a short review of the module as soon as I run amok on it a bit.

Re: Checking how safe a given password is.
by Purdy (Hermit) on Nov 13, 2001 at 18:22 UTC
    While it's not exactly a module, I've heard good things (haven't experimented with it yet {need to file for the white hat application ;)}) about John the Ripper. You could call that with backticks, capturing the output within your Perl script.


      I've used it. Two BIG thumbs up. Works like a charm. In addition to John the Ripper, here are a few more you may want to look into. I haven't used all of them, but most of them. Some are easier to use than others, but all work as advertised. In no particular order:
      • crackerjack (*nix -- one of the best, IMHO)
      • l0phCrack (Win32)
      • Qcrack (*nix)
      • ScanNT (Win32)
      • crack (*nix)
      • Hades (*nix)
      • NTCrack (Win32)
      • Hellfire Cracker (*nix)
      Something that I've done in the past that has worked well, which encourages users to use Good Passwords™, is to hold a contest, and whoever's password lasts the longest against several of the above, they get some sort of prize. In my experience, it works better to encourage good password practices than to harp at people for bad passwords.