Solved

Delphi code (or component) to check passwords against a dictionary - and a dictionary to use

Posted on 2009-05-15
14
443 Views
Last Modified: 2013-11-23
I am looking for code or a component to check passwords against a dictionary - and it needs to include the dictionary (US).

Something like pam_cracklib over in the UNIX world does.  This is NOT for a Windows password, but for passwords used in our programs. We check for minimum length, types of characters, and repeated passwords but don't have a "dictionary file" to compare the passwords again.  So something like 1Password$ might pass the length and character type checks, but should fail a dictionary check since it uses a common word - a "dictionary word".

A US dictionary file would be a great start, but if someone already has written the code to do the lookups that would be even better.

Thanks
0
Comment
Question by:dlwynne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 26

Expert Comment

by:EddieShipman
ID: 24401235
Even though this is for you own application, I believe it is against the rules to ask this type of question on E-E because it is considered cracking.
0
 
LVL 16

Assisted Solution

by:CodedK
CodedK earned 50 total points
ID: 24401250
Hi , the best password list i know of is the Argon :
   http://rs174.rapidshare.com/files/98912262/theargonlistver2_wordlist.zip

Plain text is almost 2 gigs !

Hope this helps.
0
 
LVL 13

Accepted Solution

by:
ThievingSix earned 300 total points
ID: 24401277
Alright I think I know what your getting at.

You can find some good text files here: http://wordlist.sourceforge.net/

When you need to search for a word in the long list quickly you would load the text file(in sections even) and do something like this: http://www.swissdelphicenter.ch/torry/printcode.php?id=1916
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:CodedK
ID: 24401294
More often password lists are always sorted !

(Binary search needs the list to be sorted before it runs) ....So its best to remove Quicksort function from the code above because its going to iterate through the whole list every time you run the code...
Binary search is of course the best way unless you're feeling lucky (brute force), so just remove the
QuickSort call.
0
 
LVL 13

Expert Comment

by:ThievingSix
ID: 24401301
Well if you read the entire page you would have read that you need to sort the list first, if it's already sorted then of course you wouldn't need to. It's there for the reference.

Also, CodedK, this isn't about a password list(as far as I can tell). He's trying to make sure people that enter passwords don't use common words such as you would find in the dictionary.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 24401313
Password list or dictionary file is exactly the same for me for this kind of task :)
Unless he needs it for vacations to US then its useless :D hehe
Maybe my comment was pointless, i was just posting my thoughts.
Neeeed cofeee
0
 
LVL 45

Assisted Solution

by:aikimark
aikimark earned 150 total points
ID: 24404608
Rather than doing a string-comparing search against a list/array of strings, you would get much better results by comparing a hash of the password against hashes of the dictionary entries.  Integer comparisons are sooooo much faster than string comparisons.

In fact, you might be able to represent the hash positions as a bit-array or byte-array and greatly reduce the memory footprint as well as make the matching nearly instantaneous.

================
dictionary sources links
http://wordlist.sourceforge.net/
ftp://ftp.ox.ac.uk/pub/wordlists/american/ 

0
 

Author Comment

by:dlwynne
ID: 24412493
Thanks for the list links, ThievingSix and CodedK.  The massive Argon list is probably way too big for what I want to do, but the smaller Argon list or the ones I downloaded from the wordlist lnk probably will do - in some form or other.

I want something quick, like when assigning or changing a password under LINUX and it does not have to block the use of EVERY possible dictionary work - just the most common ones.

ThievingSix, I have used binary search many times and understand its use - and it can be very fast on a sorted list of items.  The problem I see is that I am not sure I can use it in this case.

Example:  someone wants to use 1mypassword$ for their password. I can code it to remove the non characters and then binary search the dictionary - but that means I search on mypassword which it will not find.  What I really should do is check to see if each of the dictionary words exists in the password

x:=0;
while(x<number_of_words_in_dictionary) do
begin
  if(pos(dictionary[x],new_password) > 0)then
  begin
     {bad password}
     x:=number_of_words_in_dictionary+1;
  end
  else
  begin
    inc(x);
  end;
end;

This would catch either "my" or "password" and not let them use it.

Any ideas how to speed that search up rather than the code like I posted?

0
 

Author Comment

by:dlwynne
ID: 24412555
aikimark,

Thanks for the additional word list link.

Got some example code of your hash idea?   As I posted just above, I can't (or don't want to) do an exact match I would like to check the new password to see if it contains any of the dictionary words.

0
 
LVL 45

Expert Comment

by:aikimark
ID: 24413751
you can't do that with hashing.  it's an all-or-nothing match.
0
 

Author Comment

by:dlwynne
ID: 24423190
I am thinking I should sort the words by length, shortest to longest.  Then drop any shorter than say 3 or 4 characters and any longer than say 10. The resulting file would be my "dictionary" to check against. These would all be mapped to lower case and would have any words with special characters removed from the list.

I would load these into memory in this sorted order.

In my code would be something like this:

new_password_temp:=strip_non_alpha(new_password);
new_password_temp:=lowercase(new_password_temp);
backwards_password:=reverse_the_string(new_password_temp);
x:=0;
password_ok:=true;
while(x< words_in_dictionary) do
begin
  if((pos(dictionary[x], new_password_temp) or (pos(dictionary[x].backwards_password))then
  begin
     password_ok:=false;
     x:=words_in_dictionary+1;
  end
  else
  begin
    inc(x);
    if(length(dictionary[x]) > new_password_temp)then
    begin
         x:=words_in_dictionary+1;
    end;
  end;
end;

0
 
LVL 45

Expert Comment

by:aikimark
ID: 24426028
I think you're missing a comma
dictionary[x].backwards_password
 
should be
dictionary[x], backwards_password

Open in new window

0
 

Author Comment

by:dlwynne
ID: 24427746
Thanks, I didn't try the code - just typed it in :-) .

We are toying with the idea of doing it differently.  We could take the first 3 (say) characters and compare to the 3 character dictionary words, perhaps hashed by starting letter, then move on the first 4, the 5, etc,. If no match found, then we would do the 2nd-4th, then 2nd-5th, 2nd-6th, then 3rd-6th, 3rd-7th, etc. Rather than searching through all dictionary words to see if they are in the password, break the password string up and search for exact macthed in the dictionary list.

So a new password of "mypassword" might be checked as "myp", then "mypa", then "mypass", etc, then "ypa", "ypas", "ypass", etc then "pas", "pass" (finds a match and is rejected here or when it hits "password").

0
 
LVL 45

Expert Comment

by:aikimark
ID: 24427904
It would result in simpler code if you used some wildcard pattern matching, such as TRegEx class or, probably just used ANSIPos() to look for any non-zero value of the dictionary word in the typed password string.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delphi: how to implement a User Shortcut mapper? 1 135
find a node in VST 2 78
How to make Sign in, using Clientdataset? 1 33
Delphi, TImage, Png 2 23
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question