I just did a web-based authentication system at work. We have a new web site structure, and we wanted to protect an area for faculty and staff only (I work at a university, in the CS department). I wrote up some scripts and a small database that lets people choose (and reset) their own passwords. In so doing, I had to come up with a scheme to "force" good passwords for use with the web site (since there will be stuff in that private area that students should never be able to see). It's harder to do than you might think. There's a very fine line between pissing people off with strong passwords and letting them slide by using things like "qwerty".

In the end, I came up with this:

• >=6 characters
  
• At least one non-alphanumeric character
  
• Cannot be based on username (forward or backward)

That's it. Pretty easy going, right? Not really. I've had a couple people complain already (it's been two days since we went live). I even removed the "Cannot be based on a dictionary word" requirement. We also removed the "Cannot be the same as your Unix system password" requirement (over my loud protestations). I did get to add a blurb on the initial form "strongly encouraging" people to use different passwords.

I actually had a professor (a computer science professor, mind you) ask that I make it more lenient. He lamented to me that because he had to choose a "strange" password (since his "normal" password didn't pass my tests), he had already forgotten what he had chosen. He then asked me to email him and let him know what his password is. After I got done laughing, I prepared a carefully-worded LARTish email explaining to him what a one-way hash is and why I wasn't able to tell him what his word was, even if I wanted to send it to him in email. I also threw in a little bit of "weak passwords are the #1 security hole" boilerplate (although it's actually number 8 in the top ten list) and explained that I was glad that his normal system password wasn't able to be used on the web site. That I (me!) have to explain any of this to a full-on computer science professor is astounding.

I haven't sent the email yet; I thought it might be too harsh so I decided to sit on it overnight. I think on one hand that anyone clueless enough to use a password that can't pass even my lame scheme deserves to be cut down a notch or two. Then I think that he's a tenured prefessor, and I should be more respectful. Then I think that he's a tenured professor, and yet is a complete idiot, and I go back to the first thought.

Besides, I've always wanted to give a prof what-for.