Proactive Password Checker - PPC

Timer class defenition

The Proactive Password Checker is designed to pre-check user passwords before they are allowed to be used, it looks at the contect of the password to determine it's strength against common password cracking techniques suck as dictionary, brute force and hybrid cracking.

Everything is contained in a class for inclusion in other scripts, the following code is all you need to get it working. I will be updating this, as I can see a variety of peformance enhancements and features that could be added.

Getting started <?php
include 'ppc.php';

//declare a new proactive password checker
$ppc = new proactive_password_checker();

//load the password, this also triggers the analysis and stores the results in public variables
$ppc->load_password('fpa$$w0rdi');
?>

 

Password Analysis

Once the password has been loaded, the proactive password checker evaluates the password by detecting dictionary words, character substitutions, random letters, random numbers and random symbols.

  • Dictionary words are assigned a score equal to the size of the dictionary.
  • Character substitutions (including upper case letters) are assigned a value of 2
  • Random letters are assigned a score of 26
  • Random numbers score 10
  • Random symbols score 20

The quality of word detection will depend on the dictionary used. A bigger dictionary will detect more but will increase CPU load and memory usage.

Retrieving information about the password analysis can be achieved by querying the following public variables in the proactive password checker class.

Password Analysis <?php
echo '<p>Password Words = ';
myprint_r($ppc->password_words);

echo 
'</p><p>Password Randoms = ';
myprint_r($ppc->password_randoms);

echo 
'</p><p>Password Substitions = ';
myprint_r($ppc->password_substitutions);

echo 
'</p><p>Password Repeats = ';
myprint_r($ppc->password_repeats);

echo 
'</p>';

function 
myprint_r($array)
{
    if(isset(
$array))
    {
        foreach(
$array as $temp)
        {
            echo 
$temp;
        }
    }
}
?>

 

Final Result

The final score can be found with the get_total_score function or a more user friendly score can be obtained with the strength_guage method, which simply uses strlen() to find count the length of the score to give an exponential measure of the password strength and therefore a much smaller number.

Final Result <?php
echo '<p>Total Score = ' $ppc->get_total_score() . '</p>';
echo 
'<p>Strength = ' $ppc->strength_guage() . '</p>';
?>

 

The results from the final score could easy be used to prevent weak passwords being entered into a system.

My recommendation would be to use a proactive password checker in conjunction with other simple security measures, such as: strong/slow hashes to slow down cracking time or (if possible) limiting the number or password guesses allowed by the system.

Please feel free to get in touch if you have comments or suggestions, feedback is greatly appreciated.

Download | Test Page