Les, Thanks for the great advice! I'll check out the passpack UI for ideas. I only saw the picture of it on the home page so far, but I get the concept.
I was also going to respond to this thread about a Java library from Virginia Tech that I located. It really simplifies password validation. I've already integrated it into my application and am having no issues with it. You may wish to check it out, as it could be inspirational: http://code.google.com/p/vt-middleware/wiki/vtpassword They also have a vtdictionary package so that passwords can be tested against various dictionaries with lots of various options. I'm not using this feature yet. http://code.google.com/p/vt-middleware/wiki/vtdictionary The VT packages are licensed using GPL3v3, so I'm not sure how compatible they are with Shiro's Apache license. Also, the library does nothing to help with setting weights on different criteria for doing any sort of password strength calculation. I'm thinking the classes could be subclassed to include weights and perform strength tests, but I really haven't thought about it much. At the moment, I've decided to skip a strength meter, although at some point I'd really like to implement one. When it comes to password, I'm of the mindset that they shouldn't be so restrictive that users cannot remember them. The system needs to be somewhat lenient or users will write them on stickies and things will be even less secure. But running passwords through some basic tests and having some requirements such at least one or two uppercase letters, numbers, or symbols is good. I'd even be inclined to run the password through some sort of cracklib-like dictionary test to see if it easily fails. I would certainly like to see a PasswordService be part of Shiro. Perhaps some ideas could be borrowed from the VT library to get it started? Thanks again, Tauren On Tue, Feb 15, 2011 at 6:01 PM, Les Hazlewood <[email protected]>wrote: > Hi Tauren, > > I don't have any code for this, but one example I'm happy with that I > think is an 'ideal' to base code upon is Passpack's > (http://www.passpack.com) password functionality. Passpack is an > online password manager that allows you to create (and maintain) very > complex passwords without having to remember them (side note: I'm > not affiliated in any way with Passpack - I'm just a happy end-user). > > Unfortunately they don't make their strength indicator algorithms > available, but I suggest that you take a look at their UI for ideas. > > Anyway, when generating a password, you can choose 1 or more character > groups (lowercase chars, uppercase chars, punctuation, etc) and a > length. > > Based on the number of character groups you've chosen and the length > you've specified, their strength indicator changes color (red:bad -> > yellow:ok -> green:good). To me, this is much nicer and easier to > manage than depending upon, say, some crazy regular expression. > > I would venture that creating an algorithm based on length + # of > character groups wouldn't be too hard. I'd _love_ for this to be in > Shiro - perhaps encapsulating these kinds of checks plus some help > with hashing passwords. Perhaps a new PasswordService? > > Anyway, I'll probably need to support something like this myself in > the not too distant future, so I'd be happy to collaborate with anyone > if they have any ideas. Of course, patches to Shiro are very welcome! > > Cheers, > > -- > Les Hazlewood > Founder, Katasoft, Inc. > Application Security Products & Professional Apache Shiro Support and > Training: > http://www.katasoft.com > > P.S. We are also using Hibernate Validator at Katasoft as the > implementation supporting JSR-303 bean validation annotations. (Note > to those not familiar with it - it does not require Hibernate for > persistence - it is a separate project by the Hibernate team). I've > really enjoyed using it - especially since Spring supports it! >
