Strong Password Enforcement

Actually I'm asking both. I am considering hashing to store passwords, but for PCI Compliance, we need to "enforce strong passwords".

Do you have a code string that you use to check or enforce #1, or do you actually generate the passwords manually with these rules?

Are you asking how better protect the password once stored in the dB, or how to implement a better password security for your clients?

What I do for all my clients is:
1. Passwords are between 5-9 chars (MUST have at least one number and one capital letter)
2. When I store the password in the dB, I hash() the password so anyone looking in the dB can't decipher the password. hash() is a one way encryption. Of course, that means that if a user forgot their password you need to reset it with a temp password and force the user to chnage it once they log in. (that part is simple)

using CAPTCHA is also a good idea, however CAPTCHA only makes certian the user submitting the form is a human and not a program designed to create accounts - this serves no purpose in password security.

Depending on performance, you could perform a FindNoCase or a ListFindNoCase on a text file read into a variable.

Ideally, a password shouldn't be a dictionary entry, so consider using a java based spell checker. Most of the open source spell checkers are geared towards markup of the errors, so a little Java coding might be needed to return a boolean on if the entry is a dictionary entry or not instead of a markup. Use cfobject to invoke the class or even create a custom java tag to check the entry.

Then perform other security checks using regex, such as contains at least one of an upper case, lower case and numeric character.

Reference:
Jazzy
http://cfdj.sys-con.com/read/42120.htm

http://mit.ocw.universia.net/1.00/s02/assignments/pset-10/solutions/SpellChecker.java

It's called CAPTCHA, and that's a great idea. I will look into that. I would
still like to pursue strong or semi-strong password enforcement.

Have you considered a capcha approach, or whatever it's called? You display a random string on your page and the user has to type them correctly into a text box.

I'm not talking about anything outrageous here, just prohibiting passwords like "password", "12345" or a password equal to the userid. I think 6+ characters with at least one number and one letter is acceptable.

I read many articles about this type of restriction, and, since I am most worried about internet hacking, users who write down their passwords are not a major concern. Someone would have to break into their home or office to find those.

My objective is to be as secure as I can without being unreasonable.

My idea is to stop thinking about your code and start thinking about people and how much they can remember. The biggest security breach for passwords is when the person writes it down. People will write it down if they don't think they can remember it. The more clever you are about making them use obscure passwords, the more likely they are to write it down because there is no way to memorize it.