OWASP Passfault

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Passfault
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!

Introduction
OWASP Passfault is more ...
 * Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies
 * Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.
 * Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.
 * Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.

Description
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength.

When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: the number of passwords found in the password patterns. This measurement is made more intuitive and meaningful with an estimated time to crack.

Licensing
OWASP Passfault is free to use. It is licensed under the [Apache License version 2.0].


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is Passfault?
OWASP Passfault provides:


 * Password Strength Evaluation
 * Password Policy Replacement

Presentation
Presentation given at OWASP SnowFROC 2012 in Denver:

Articles
["Your Passwords don't Suck, its your Policies" - ZDNet] ["Redefining Password Strength and Creation" - MidsizeInsider, IBM] ["For Better Password Policies" - Turnlevel, Partnet] ["How long would it take to crack your password" - Naked Security, Sophos]


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download
[downloads]

Demo Page
[demo site]

Project Leader
Cam Morris

Related Projects

 * Password_Storage_Cheat_Sheet

Classifications

 * }

=FAQs=

Demo Site

 * Does the Demo Site capture or log passwords?
 * No, of course not


 * How can I be sure the Demo Site doesn't capture or log passwords?
 * You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:

To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt
 * GETs are blocked so no urls will have accidental passwords stored in the logs
 * passwords are read directly from the input stream to prevent parsing into Java Strings
 * the memory is cleared as soon as analysis is complete.
 * HTTPS is required on this URL (using the appspot domain)

= Acknowledgements =

Volunteers
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:


 * Cam Morris
 * University of Florida Students:
 * Neeti Pathak
 * Carlos Vasquez
 * Chelsea Metcalf
 * Yang Ou

Others

 * Partnet Inc. has donated paid labor on OWASP Passfault

= Road Map and Getting Involved =

=Project About=