Prior art for analyzing passwords


It shouldn't be too hard to find prior art on patent application 20120284783. The primary claim is taking apart the password to identify common words or patterns. The password is checked by various weighted rules and given a final score to determine whether it passes or fails.

One example of prior art that I can think of right away is

Mark Burnett

Posted 2012-11-13T17:01:48.540

Reputation: 141


I was going to link to this blog post as a potential source for prior art: but then I realized that's your blog :-)

– kinkfisher – 2012-11-13T17:47:49.730

Yeah, there's plenty listed there as well. – Mark Burnett – 2012-11-13T22:19:37.953



cracklib, which has been on Sourceforge since February 9, 2005 (and which evidently is much older - a README from 1997 is on the Archive - Thanks, Chromatix!) implements a password validation algorithm that uses a dictionary, patterns, and several other heuristics to reject passwords deemed "not secure enough," based on configured rules. It does not use a scoring system, and merely accepts or rejects a password based on its low entropy or use of common words.

Similarly, KDE's KPasswordDialog added a password strength meter on November 1, 2004, and the changelog and mailing list traffic at the time reference earlier work by Mozilla. The meter uses a dictionary and other heuristics to assign a score to an input password.


Posted 2012-11-13T17:01:48.540

Reputation: 191

This README file (,2.7.txt) accessed via the Wayback Machine has a date of 14th December 1997.

– Chromatix – 2013-07-26T17:36:04.690

"suggest or reject" could be considered a score of 0 or 1, right? – GSP – 2013-07-26T18:04:39.643

1FWIW, the README of the current version of the cracklib package (from SourceForge) includes a verbatim copy of the original 1997 README. This is one of those packages that attained maturity at an early age, and has only received maintenance to keep it compatible with modern C compilers and so on. – Chromatix – 2013-07-26T21:14:09.770


My password evaluator, , has been online since April 2001. It uses multiple unabridged English dictionaries, plus common names and passwords, combined without duplication, to check for words used in passwords. It checks for all the transformations that can normally be done by password cracking tools. It defaults to checking for words that are interrupted by one or more non alpha characters. It also checks for sequences including ASCII and keyboard sequences, in both directions, with wrap and also alternate character sequences. It checks for repeat characters and too many of the same character in a password. It checks for repeat character groups. Many potential conditions result in one or more errors. If an error is reported (the equivalent of unacceptable if this were used to check a system password) no strength rating is given. If no error conditions are present it may still report some warnings, but will always give a strength rating.

The workings of my evaluator can be checked at the above URL. The default conditions checked for changed in 2012 but the basic workings have not changed since 2001. That my evaluator has been online since 2001 can be checked at . Search for my home page link and select the one from April 1, 2001. Then click on the link to Password Evaluator at the bottom of the site map. It will bring up an image of my password evaluator. This is from Dec. 2003. Apparently did not pick up my evaluator until then, but I never put a link on my site that was to an unfinished page or script that was not working. The appearance of my password evaluator was constant from early 2001 to mid or late 2012.

George Shaffer

Posted 2012-11-13T17:01:48.540

Reputation: 11