I'm focusing on your password validation formula that must check potential passwords from the dictionary. When the password or any some of it are available in the dictionary, reject it. The function is simple enough, but where will i obtain the word list? It is possible to web service already available for searching for words? I've poked around some, although not found something that screams "Pick Me!" Thanks.

EDIT: After I requested this, I had not considered specific password dictionaries like @Joe Skora that will include words that may be prevented. So, I'll extend the question to incorporate that kind of dictionary, and other things I is probably not considering with penning this function.

Platform is C#/ASP.Internet/SQL Server. This is just one element of the formula for strong passwords that will have to be implemented. Many Thanks.

Googling on free dictionaries gives you plenty of freely available dictionaries. Should you upload these to a database, you are able to perform a fast research for any known word.

However don't believe it'll eliminate non-brute pressure attacks!

You need to take a look at password cracking programs! The easiest extension from the dictionary attack would be to mix words. Furthermore, you will find other kinds of attacks, like changing figures, which are near to one another on the keyboard. (For instance: turn d to f.)

The very best password cracking application I have seen to date is John the Ripper. If you notice, what type of attacks it uses, you are able to develop a better password generator.

It's also wise to study user habits, because an average password is really a bad password. For instance, most customers put amounts within their passphrase's finish, so a powerful password is, with a number in it's middle.

You will find several open license general (not specific to passwords) word lists/databases. The best may be the Princeton WordNet

To ensure a powerful password, you want to do not only look for words within the dictionary. But when there's not really a library already to get this done inyour platform (what exactly is it incidentally?) - simply address it like for you to do spell checking. If any area of the password passes a spellchecker, it fails.

Microsoft includes a library for spell-checking.

Should you particularly desire to use a web service, consider this.

I believe there's no requirement for checking against a dictionnary, especially if you wish to reject even part of passwords. British provides extensive small words and stretching to multilingual dictionnaries might prevent using any password of the reasonable size without haven almost every other letter as being a 'z' 'q' or 'y': 'a' 'on' 'in' 'je' 'um' 'o' etc.

I do not completely understand why you are caring in regards to a password inside a dictionary when you are able easily impose other simple rules:

The password with minimum period of 8 chars must contain:

  • 2 to eight uppercase figures
  • 2 to eight lowercase figures
  • 2 to eight amounts
  • 1 to 4 special figures (**+"%&lifier/()?-[]<>* etc.)

I acquired the term list from here, and loaded it into my database. Removed all words under 3 figures.

Authored a C# function to parse each substring of the password (forward only for the time being) into an xml string.

Pass the xml string to some saved proc that produces single column temp table with every substring creating a row.

Join the temp table to my listing of words, and when any rows are came back I understand the password consists of a dictionary word, and that i understand what substrings matched up.

This is effective, however i think we'll finish up modifying the term list a little because it might be too limited.

Just help around the word list

I initially attempted to visit the dictionary with spell checker route, however i did not try to perform a spell check without either a third party component (redistribution was too pricey and that we can sell an item), or needing MS Word around the server.