APS can calculate a password's complexity and compare it to a specified threshold to determine if the password should be allowed.
There are three metrics that APS uses to evaluate password complexity:
Each character has a value. APS adds up the values assigned to each character. Characters that appear more than once (case-insensitive) do not count multiple times.
Longer passwords are better. APS gives points for longer passwords.
Mixed case passwords are better. Every time that the password "switches case" (goes from lower to upper or upper to lower), a value is added to the complexity.
APS has a utility called APSComplexity that calculates the complexity of a given password. It may be useful to try various passwords to get a feel for these calculations.
The weight of each metric can be adjusted in the complexity section of the APS.cfg file. This section begins with a single line in the configuration file that looks like:
It is very unusual for sites to make changes to this section. The defaults are suitable for most sites. This section exists so that a site can fine-tune the calculations still further.
Normally, this section is not needed, since there are default values for all possible complexity settings. This section can be used to fine-tune the weightings used for these calculations.
Note that no settings in this section can be overridden by user.
Default: not sorted
Recommended: Yes
Complexity Level: Advanced
When calculating the character values, APS ignores repeating characters. If this keyword appears, the characters will be sorted before this calculation. For example, without the Sorted keyword, "Passwords" gets credit for the letter "s" twice (the second appearance does not count, since it repeats the prior character). If Sorted appears, "Passwords" receives credit for the letter "s" only once.
To turn this setting off, comment it out of the configuration file.
Sorted
Default: 2
Recommended: use the default
Complexity Level: Advanced
When calculating complexity, APS will add this value to the complexity score each time that the case switches from lower to upper or upper to lower case. Thus, using the default value of 2, "Passwords" would receive 2 points for a case switch and "PassWords" would receive 6. Intervening non-alphabetic characters are ignored in these calculations, so "Pass2W4ords" still received 6 points.
If case switching should not be considered during complexity calculations, set this value to zero.
Case Switch=0 Case Switch=4
Default: +2
Recommended: use the default
Complexity Level: Advanced
This is actually 29 different keywords: Length4, Length5, through Length32. Each value specifies the score applied to passwords of that length. If no length values are specified, length is scored at zero for length 4, plus two points for each additional character (length 5=2, length 7=6, etc.).
If only some length values are specified, the default ("+2") is used up to the first specified value, then the specified value is used for all lengths up to the next specified value and so on. For example, if the following is specified:
Length4=0 Length8=4 Length12=6
Would be the same as:
Length4=0 Length5=0 Length6=0 Length7=0 Length8=4 Length9=4 Length10=4 Length11=4 Length12=8 Length13=8
(and so on).
Default: 0-10
Recommended: Yes
Complexity Level: Advanced
There are 256 characters in the ASCII character set. Every character can have its own score and these scores can be overridden in APS.cfg. The default scores are:
Letter scores are shown in the following table. Lower case characters, by default, have the same value as their upper-case equivalents.
|
A |
1 |
|
J |
8 |
|
S |
1 |
|
B |
3 |
|
K |
5 |
|
T |
1 |
|
C |
3 |
|
L |
1 |
|
U |
1 |
|
D |
2 |
|
M |
3 |
|
V |
4 |
|
E |
1 |
|
N |
1 |
|
W |
4 |
|
F |
4 |
|
O |
1 |
|
X |
8 |
|
G |
2 |
|
P |
3 |
|
Y |
3 |
|
H |
4 |
|
Q |
10 |
|
Z |
10 |
|
I |
1 |
|
R |
1 |
|
|
|
There are three ways to set the score for a specific character. For displayable characters, either of the following methods will work. The examples below set the score for the capital letter "A":
A=5 'A'=5
Obviously, this mechanism does not work for non-displayable characters. Instead, the hexadecimal value of the character can be specified. For example, the score for Control-Z could be set to 5 using:
\x1A=5
If only one case of a character is explicitly set, then the other case will automatically be set to the same value.
Default scores for international (multibyte) characters are:
|
Copyright © 2014 CA.
All rights reserved.
|
|