The implementation is a good concept, but needs to be changed to match Common Criteria.
In general, Strong Passwords are at least eight characters in length; have a combination of at least three character classes; are not found in common dictionaries or predictable phrases; and don't match the owner's NetID or name.
Another policy that is risky if the web implementation is not rock-solid at both ends (https and a well-guarded server/database) is one ensuring that the password does not match any of the last 'n' passwords. The encryption key(s) and/or passphrases must be secured in such a way that someone who knows the algorithms and has access to the data is still facing a huge task to crack the database.
Mick Sear - 2006-03-22 10:12:18 - In reply to message 1 from Christopher Turner
The class can be configured to require whatever character limits your organisation needs. For example, your definition of a strong password is eight characters in length. The class can be configured to require that. If you require checks to be made to make sure it's not the same as previous passwords, of course, that's something you need to implement yourself.
If you need dictionary checking, etc., then either extend this class or use a different one. I don't pretend that this is the 'ultimate' password checking class, just one that suits my needs.
Feel free to extend it and publish your updates if you think that your improvements will help others.