Vulnerabilities leading to password leaks are not going away, and will continue to occur. Defenses against the plaintext disclosure of passwords needs to occur at multiple levels. One of these levels being the initial creation of the users password. Historically this has been done using traditional complexity checks utilizing JavaScript or language specific libraries, leaving the development up to application developers, who may have not had the training or expertise to implement adequate requirements.
I will present a new tool to fix this issue, and increase the potential for password complexity requirements. Acting as a language agnostic web service, the tool will allow the developers of any application to test prospective passwords against highly configurable requirements. By performing checks in this manner we can eliminate common password creation techniques, including but not limited to: keyboard walking, single base word leetspeak transformations, and passwords based on dates.
A discussion of complexity requirements, user behavior, and tool creation will be followed by the demo and release of an open source web service.