Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Password strength calculation

by cavac (Parson)
on Jan 20, 2012 at 17:06 UTC ( [id://948997]=perlquestion: print w/replies, xml ) Need Help??

cavac has asked for the wisdom of the Perl Monks concerning the following question:

I'm in the middle of rewriting some authentification and user managment stuff of a website a friend of mine runs. That site even displays a "password strength meter" in the "Change password" and "Register" dialogs.

But here's where the problem lies. The original developer, thankfully fired for incompetence regarding IT security, thought that any password that holds a "special" character is absolutely secure.

Similar assumptions were made about password storage, a quick eyeballing through the ROT13 "encrypted", flat file "database" revealed the shocking truth. No hashes but plaintext passwords. And most of them could be cracked by my baby sisters without consulting Google. You know, things like "god!" or where the password is the same as the username with a question mark added.

While i managed to fix all of that (using a database, salted password hashes, etc.), i still have a little problem about the password strength calculation.

Since i'm redoing the whole kit and kaboodle anyway, i'd like your suggestions.

  • What consists of a good password?
  • How do i detect username-as-password obfuscations?
  • I like to display some kind of feedback (via AJAX) about the password strength when the user input the password. How do i do this without giving the user an easy way to figure out how to game the system?
  • I searched but couldn't find a nice, fitting module on CPAN. Did i overlook something?

BTW, i have read some articles by Bruce Schneier. That guy really goes on and on and on and on about how to make safer, much more complicated passwords and how to protect them. And then he says we should do away with password masking and display them as plain text on the screen (making them easy prey for shoulder surfing). So i'd rather hear from people who, just like me, sometimes get out of their office and have to deal with real people and encounter real life practical problems...

Note: Due to the ongoing security issues, i can't link to the site in question.

"You have reached the Monastery. All our helpdesk monks are busy at the moment. Please press "1" to instantly donate 10 currency units for a good cause or press "2" to hang up. Or you can dial "12" to get connected directly to second level support."

Replies are listed 'Best First'.
Re: Password strength calculation
by BrowserUk (Patriarch) on Jan 20, 2012 at 18:06 UTC
    I like to display some kind of feedback (via AJAX) about the password strength when the user input the password. How do i do this without giving the user an easy way to figure out how to game the system?

    You are worrying about the wrong people.

    Let's say you add your strength-ometer.

    All your local friendly hacker needs to do is spend 5 minutes, probably less, working out what rules you've used:

    All lower -low strength; all upper -low strength; add a cap -a bit better; add a number -better still; add a symbol -better still. Less than 5 still low, 6-7 medium; 8 or more strong.

    Now, let's say 1 in 10 of your members are influenced by the widget. You've now decreased the range of possible passwords for those 10% by billions, therefore increased the chances of getting hacked by brute force attack many, many times over.

    Any rules reduce the range of possibilities. Any clues you give the hackers increase their knowledge. And they only need one way in.


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

    The start of some sanity?

      Well reasoned, but then again I think you're worrying about the wrong kind of attacks. Knowledgeable hackers tuning their bruteforcing software to manually fiddled-out rules would be plausibe for very high value sites, but for your average internet site I tend to agree with JavaFan, it's not gonna happen. The value of these strength-o-meters is just in discouraging people from choosing something that's likely to be among an amateur attackers first (couple thousand) tries. Of course one could just use Crypt::Cracklib and reject the ones that are easily derived from a dictionary word or too short. Technically rejecting anything under 6 characters or so also does nothing else but reduce the number of possibilities but that's just the possibilities that will usually be tried first anyway.
        I think you're worrying about the wrong kind of attacks

        I'm not worrying about anything. There is no such thing as "the wrong kind of attack". People being people, will reuse the same passwords for different sites.

        So, you hack a few "low risk" sites, grab a few thousand userid/password combos and then try them on your real target.

        Technically rejecting anything under 6 characters or so also does nothing else but reduce the number of possibilities but that's just the possibilities that will usually be tried first anyway

        If I know your site doesn't accept passwords of less that 6 characters, that is somewhere between 782,757,789,696 and 308,915,776 permutations , depending upon what other silly restrictions you have in-place, that I don't have to try. Why make my life easy?


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?

      That almost sounds like you're saying that we should occasionally use an all-lowercase, 5 character password...

      I'm guessing that you're taking the assumption that those 10% of people are going to tweak their password until they get a "Strong" result and then quit. And then the space of all weaker passwords is bigger than the space of all "just-barely-strong" passwords.

      I would suggest that, instead of just a "weak", "medium" "strong" set, a continuum value may be good. There would then be no natural place to stop improving, and less clustering of the passwords around that point.

      Some things to consider in the strength calculation would be

      • length (not directly, just as a consequence of adding more credit-worthy password features)
      • size of the symbol set
      • reduced credit for the first/last character expanding the set (eg: 'Password' isn't much better than 'password', but 'paSswORd' does get full credit for the inclusion of caps)
      • reduced credit for substrings that are similar to dictionary words.
      • reduced value for date and name substrings
      • throw in tests against any common patterns you can think of, like the first couple digits of Pi.

        Some things to consider in the strength calculation ...

        I stress again. Anything you do to reduce the range of possibilities for passwords, substantially increases your vulnerability!

        That's not opinion. Its math.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?

Re: Password strength calculation
by choroba (Cardinal) on Jan 20, 2012 at 18:15 UTC
Re: Password strength calculation
by JavaFan (Canon) on Jan 20, 2012 at 17:25 UTC
    What consists of a good password?
    Something that is simple enough for people to remember, instead of having them write it down on a post-it and sticking that to their terminal.

    But ultimately, it depends on what's at stake. If the expected cost of cracking the password exceeds the value of having the password, the password is strong enough. Which means that for 99% of the website, 2 letter passwords (no digits, case or punctuation allowed), are more than strong enough. But there are also cases where a password alone isn't secure enough. (Some say, good security is based on three pieces of authentication: something you know (password/phrase), something you have (key, RSA number generator), something that's you (fingerprint, voice, retina scan)).

      + +, JavaFan...

          albeit, with one little quibble about a two char p/w being adequate for 99% of www:

      That may under-estimate the proportion of malicious folks and graffiti artists who are drawn to some sites.
Re: Password strength calculation
by Marshall (Canon) on Jan 20, 2012 at 18:31 UTC
    The most dangerous break-ins are those where some cyber criminal is able to get the master password file for thousands of users! Or get a DB with credit card numbers. A huge amount of effort should be focused on that.

    Cracking an single individual's password, one at a time is normally not an effective strategy for a criminal who is interested in huge financial gain. As we've seen targeting specific individuals (like celebrities) can have significant payback to get that one single account. But that is not, for a website as a whole, the most dangerous thing.

    Update: When you get into "passphrases" instead of passwords, like: "MyMomHatedthe'57chevy", showing the printed text on the screen isn't that bad (might be hard for you as the account holder to get it right). This passphrase is very difficult to crack if you only have the encrypted version and are using brute force. If you have a short password and I'm looking at what you type (normal folks don't type that fast), I can know enough to "fill in the blanks" that I don't know by experimentation. I turn around and look the other way when one of my clients has to type an important password.

Re: Password strength calculation
by Khen1950fx (Canon) on Jan 20, 2012 at 18:17 UTC
    For measuring strength, I used entropy. For example,
    #!/usr/bin/perl -l use strict; use warnings; use Data::Password::Entropy; use Data::Password::Manager qw(pw_gen pw_valid pw_obscure pw_clean pw_get); my $cleartext = 'Khen1950fx'; my $pass = pw_gen($cleartext); my $ok = pw_valid($cleartext, $pass); print "Valid" if $ok eq 1; print "Entropy is ", password_entropy($pass), " bits."; my $clean_text = pw_clean($ok);

      Unfortunately, that particular password would be guessed correctly within the first 10 tries (right after 'password' and '12345'), regardless of how many bits of entropy you think it has.

Re: Password strength calculation
by planetscape (Chancellor) on Jan 21, 2012 at 00:59 UTC
Re: Password strength calculation
by ikegami (Patriarch) on Jan 20, 2012 at 19:15 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://948997]
Approved by Corion
Front-paged by chrestomanci
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (3)
As of 2024-07-22 13:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.