views:

130

answers:

5

If I want to check passwords in my application for the inclusion of English words, should I store a database of English words locally (is there a free database?) or is there a (free) web service I can use to check them remotely?

Ideally I would check the words using an Ajax call but I don't want to pass the entire English dictionary by XML. I have a feeling network traffic could become a problem.

Any suggestions?

(Also, any Rails-specific suggestions?)

A: 

I would store them in a database/xml file on your web server, then use an Ajax Javascript call to a web service running on that same server. In ASP.NET this is easy to do; I'm not sure how involved this is when using rails...

Nate Bross
+1  A: 

/usr/share/dict/words contains a massive wordlist if you working on unix
Otherwise here is a ruby gem for something called wordnet which could easily solve your problem and probably include names of famous cities and people as well
You should google for 'password analysis' and check out some other common bad password patterns as well

adi92
Great first suggestion. One thing to note about WordNet ( from http://wordnet.princeton.edu/faq#cat_content ): WordNet only contains "open-class words": nouns, verbs, adjectives, and adverbs. Thus, excluded words include determiners, prepositions, pronouns, conjunctions, and particles.
Adam Bernier
Wow, that's perfect. "This code was loosely based on the Lingua::Wordnet Perl module by Dan Brian, and uses a similar strategy of converting the WordNet® data files into a BerkeleyDB database. The convertdb.rb script in the distribution can be used to build these databases from the WordNet® dictionaries." -> Is it saying that when you install the gem, you are actually installing a small local database implemented as a BerkelyDB database? That's what it sounds like to me. Or do I have to call out to a remote service (Wordnet Lexical Database) using the ruby gem?
Hank
Wordnet itself doesn't seem to be free. Is it really open source? http://isbn.nu/026206197X
Hank
@Hank ... you have to install berkeley-db and compile the wordnet corpus into its file-format.. that part was pretty confusing to me when I had to do it.. but you have to do it only once
adi92
http://wordnet.princeton.edu/license
adi92
@adi - Thanks. This is great.
Hank
A: 

Not sure what you're doing with the results, but you'll probably want to remove one (and maybe two) letter words from the list so you don't get too many hits that don't mean much.

Dennis Palmer
A: 

If you use a web service you will introduce a delay, maybe some outage (if the service is unavailable). Your users will not like it. It is therefore more practical to check passwords against a local word list. However, your security requirements should be the most important factor in your decision.

A: 

You can use the algorithms/code/wordlist from this project: http://www.openwall.com/john/

auvi