password restriction question

[Jon]

I have a requirement for a new product that the user's passwords cannot
contain a word found in the dictionary.

I don't really have any practical ideas on how to do this. What's the best
way to do it?

Thanks

 

[Mark Rae]

I have a requirement for a new product that the user's passwords cannot
contain a word found in the dictionary.

The dictionary...? What dictionary?

If you mean something like the Oxford English Dictionary or Websters, you
could have quite a task on your hands!

If that is indeed what you mean, where do you draw the line...?

Does that mean that no password can contain the letter 'a'? That's *a*
perfectly good word which will be found in any English dictionary...

 

[Jon]

Exactly, the user's scope document says "passwords cannot contain words
found in the dictionary". I will clarify with them, but I assume they mean a
standard US dictionary, like oxford or websters.

 

[Peter Bradley]

Makes me proud to be Welsh.

Triwch chi ffeindio'r geiriau hyn mewn geiriadur Saesneg!


Peter

 

[Mark Rae]

Exactly, the user's scope document says "passwords cannot contain words
found in the dictionary". I will clarify with them, but I assume they mean
a standard US dictionary, like oxford or websters.

Wow! I think you might need to "manage expectations" a bit on that one...


Clearly, you're not going to purchase an electronic copy of Websters and
extract every word into a database or something - that would be ridiculous!

You could, I suppose, insist that every other character is non alphabetic
e.g.

1m2a3r4k5r6a7e8

If you do that, though, you might find that your users have a bit of hard
time remembering their password - when that happens, users have a tendency
of actually writing the password down somewhere...