Say your users have a password of like 8 characters, Brutus (used for brute forcing) will tell someone trying to gain access that they'll have better luck asking the person.
So the only real threat is like dictionary attacks. So you add an eregi and ask your users to include at least 1 number and/or a special character.. or you have your own dictionary that you check the word against, if its in your dictionary then you tell the user to select another one. Brute forcing a password is pass or fail, if the person is determined enough they'll get in. Using a dictionary can work sometimes, script kiddies can whip those out pretty quick and try it. The main anti-passcrack would be a strong password. I usually use minimum of 8 characters, 1 special character not at the end. And on top of this i also have a about 7,000 words/common passes in a MySql database that i reference. Of course, you have to remember that you're dealing with users.. as in users... who will make their password their initials and the last 2 digits of their birthday... or they'll make it 112233. The best way to learn about security on stuff like this is to sit down and try to break into your system, if you can do it locally then thats better, so that you can test it as if someone plugged in on your server's lan (highly unprobable) and anyone that tries to sell you a product for the anti-passcrack is really saying, you don't seem to want to write the 40 lines of code.. so i'll rip you on it.
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php