password security check

[pkos]

I 'm trying to create a password strength checker using Javascript. What I've done until now is checking the existance of both upper and lower case letters, existence of numbers, existence of at least one special character, length of password and existence of non printable characters.
I've done that by getting the password in the var "value" and using 'ifs' like that:

Code

Language: javascript (GeSHi-highlighted)
if (!(value.match(/[A-Z]/))) {
     errorMsg += "\nStrong passwords must include at least one uppercase letter.\n";
}
if (!(value.match(/[a-z]/))) {
     errorMsg += "\nStrong passwords must include one or more lowercase letters.\n";
}

Is there a way to check if the password is similar to words from a dictionary which it would be in a txt file?
And also, can I check passwd/etc file by using javascript? If not how can I do that?

[CrYpTiC_MauleR]

Personally I would not encourage the above password policy mainly because complexity is not the key to password strength, its length.

The password:

    #&%gd!7hF5

is less secure than the password

    My ugly old dog Joel always chews up my morning newspaper!

The first is complex, but very hard for someone to remember so user will try to make it as short as possible reducing its strength because possible combinations drop significantly. The latter is easy to remember contains A-Z a-z punctuation and whitespace but is much longer and possible combinations to guess the password is far far more than the first password. It also contains dictionary words which if used properly like in 2nd example will not degrade the password strength. So you should check for simple complexity but force a password length that you thing will be adequate, disallowing dictionary words will just make user frustrated that they need to remember something hard. I if I were you suggest to users to use a sentence as a password, with punctuation, capitalization etc.

[allen]

I believe he mentions he uses a password length check as well as the upper/lower cases etc. I have the same problem as he does though, I need to load a dictionary from a .txt file and compare each line (there is only 1 word per line) with the possible combinations of the value of the password (backwards as well). Also if there are any 'files' made about the user (like etc/passwd in UNIX) would like to check that too.

[CrYpTiC_MauleR]

Yes I saw where he mentions he does a length check, yes he may use a length of 25 chars perhaps but forcing a user to remember a password like that is not good practice. Forcing them to not use dictionary words does not really increase the password stength just makes it more likely user will pick shortest password length possible and meet minimum requirements. If you allow dictionary words but make password length requirement 50 chars the password:

My ugly old dog Joel always chews up my morning newspaper!

will be possible allowing user to create stronger and much easier to remember password. Length not complexity and lack of dictionary words make a password strong. Thing about this...

!@#$%
The Cat In The Hat

First password is 5 characters long 2nd password is 5 words long. A keyboard has around 60 chars (not including Unicode), while an English dictionary has tens of thousands of words. Which has more combinations? Dictionary of course. Password cracker would need to find combinations for 60 chars in sequence of 6 in length, while 2nd password they would need to find combinations for tens of thousands of of words in a sequence of 6 words in length. Don't limit a users ability to create a stronger password.

[GrandSchtroumpf]

> Don't limit a users ability to create a stronger password.
Maybe you can drop the dictionary search if the password has a certain minimum length.
As I understand it, enforcing a digit and a non-alphanumeric char in the password should be sufficient protection against dictionary attacks... or maybe not.
I'm not an expert in password cracking.  I have seen some dictionary attacks crack passwords in just a few seconds for passwords that only consist in a single dictionary word.  I don't know what happens if you use a dictionary followed by a non-alphanumeric char, like "hello§" for instance.