Secure Passwords

**keyboard** · 08-08-2012, 05:48 AM

Hello everyone,
What would you classify as a secure and reasonable length for a password?
I read somewhere that anything less than 16 characters is in-secure, but expecting a user to remember 16 characters is a bit stupid...

What would you suggest for the minimum length for a password (it's not for a banking system or anything, but it does have a lot of personal information).

Also, what're your thoughts on password content (Letters (Upper and lowercase), Numbers, Other Characters)... What should be required?

**djr33** · 08-08-2012, 07:58 AM

Limiting the creativity of passwords would be a bad idea because that would allow the password breakers to just try the limited list of known combinations.
By simply allowing symbols and other things in passwords, this means that a brute force attack must include all of the symbols and combinations possible.

While it's likely that a password is "password" and not "!@#$%^&*", the fact that it could be means that the algorithm to break it must include both.

Someone trying to crack a password has three options:
1) Guess a password that the user might be using. For example, the username, or "password" or some other really bad password. This includes anything that could be guessed as well, such as a birthday, a pet's name, basically anything easy to remember, and all dictionary words, and anything on a "most common passwords" list.

2) Try every combinatorial possibility that the system would allow. This will take a very long time, but it can't miss anything.

3) Assume the user didn't use a hard-to-crack password and assume certain things like "only one special character", "mostly lowercase letters", "mostly real words", or anything like that. In other words: cut out the really bizarre passwords and assume something normal.

It's group 3 that is complicated, both for users and for password breakers. So this is why many websites require certain things like minimum 8 characters, a mix of symbols and upper/lowercase letters, numbers, etc. Ironically this makes the job of method (2) easier, but the job of method (3) harder. The reason that these are in place is to effectively stop anyone from running a basic algorithm that either: 1) just checks the most common passwords (there are lists of "100 most common passwords", and these would work well against a site like facebook with millions of users if you aren't targeting any individual users), or 2) assumes a not-so-complicated passwords as in method (3) above.

So, what's the solution?
Well, brute force methods take a long time to crack long passwords. They're not perfectly secure, but a longer password is certainly better. Anything under 5 characters is simply a bad idea-- that would take minutes or hours, not days. It all depends on connection speed, and especially the number of retries permitted*, but 6-8 is reasonable to run with brute force, and anything above around 8 is pretty secure. If you want to add a few more characters, personally I think something around 10 is good. More if you want, but there's no need to be excessive.

The second trick is to figure out what characters to include. First, I actually WOULD recommend using a password you can remember. (Or memorize a random string of letters/numbers.) This isn't a problem. But don't use only that. Add a number to the end, or to the beginning, and/or a symbol. The reason for this is simple: it will mean that the only way to crack it with brute force will be an algorithm that includes symbols/numbers. In fact, skip the number and just use a symbol.

Let's create a dummy password. Let's take a very non-secure password like "password". How can we make it secure?

1) Is it something people could guess? Yes! Ok, so just add something to it:
$password
Is it something people could guess? No, not really. Maybe still? Ok, if you're worried about it, try this:
$password1208
1208 = today's date... assume this is your birthday, again something easy to remember.

Now it's almost impossible that a friend or family member (or anyone else) could guess your password. They'd need to guess all three parts and put them in the right order; and once they do that, the number of combinatorial possibilities for similarly-clever passwords is huge, so they'd never actually reach this. They'd give up after trying a few things, like maybe "password" and "1208" and move on to other ideas-- your pet's name, or whatever.

And could this be on any lists of most common passwords? Obviously not.

So far... safe.

3) Is this long enough to be relatively safe if someone is using pure brute force? Yes. It's well over 8 characters and it contains symbols and numbers, so that means they'd need to be running 40+ characters, making the exponent 40^N. And 40^8 is a huge number, but in reality it would be (40+)^13.
If someone can still crack this, why bother worrying about it? I don't see the point.

(If you do obsessively want to be safer, of course you could just write the password two times. But 40^8 is already around 6 trillion, so I wouldn't bother.)

3) Finally, we've already covered this one. The password can't be guessed/cracked using any shortcuts, because there's a dollar sign in it and because it's a combination of several things that don't have any logical reason for being together.

In short, I recommend the following three points:
1) Use a password that you could not guess. (This way your friends/family can't either.)
2) Make it at least 6-8 characters long, probably 8-10 to be completely sure.
3) Include something (a symbol, probably) that forces the brute force algorithm to try everything. Think of the $ above.

As for what you should do as a web designer, what passwords you would require, I'd suggest not requiring anything too strict. Personally I find those things to be annoying. Strongly suggest a few points from above, that it's not a dictionary word for example. Beyond that, just require it's 6+ or 8+ characters, and maybe that it includes a symbol.
Of course if the password crackers are smart, maybe they'll realize that a lot of your users have the most basic password within that, that it's exactly 8 characters and has exactly one symbol. But there's not much you can do.

--
*As a website designer, if you simply block all attempts after 5 (or even after 100), you will effectively block all brute force attacks from your website. The only way in after that is someone guessing the password of someone they know, using the not secure method (1) described above.

**keyboard** · 08-08-2012, 08:44 AM

Originally Posted by djr33

*As a website designer, if you simply block all attempts after 5 (or even after 100), you will effectively block all brute force attacks from your website. The only way in after that is someone guessing the password of someone they know, using the not secure method (1) described above.

Is there any reason to force a 8 character (or >) password on users if you do that? Wouldn't a 5 or 6 character (assuming it's not something really obvious and it has a symbol or such) be sufficient?

Also, how'd you go about doing this. Normally, I just set a cookie that expires in a shortish amount of time (or sometimes use a session) to stop them... Is this the best way to do it? Maybe deny all attempts using that username for a set period of time?

Keyboard1333

**james438** · 08-08-2012, 11:46 AM

On a related note

http://xkcd.com/936/

**djr33** · 08-09-2012, 12:18 AM

Is there any reason to force a 8 character (or >) password on users if you do that? Wouldn't a 5 or 6 character (assuming it's not something really obvious and it has a symbol or such) be sufficient?

I think most of this comes from assuming that users are stupid, at least some of them. If you allow "password" to be someone's password, that means that some (small?) percentage of your users are bound to be hacked. But if you add some arbitrary requirements that rule out the 'stupid' passwords, you'll stop the stupid users from using stupid passwords.
Whatever philosophical/moral viewpoints there are... I'll leave that up to you.

8 is reasonably long and 5-6 is significantly less secure. I see no problem with the 8 character minimum; it's usually the other things that bother me. For example, my university just reminded me that I need to change my password for the year. This sort of thing gets on my nerves, while I think 8 characters is acceptable and is (a minimum) default for me. But other users might be annoyed.

Also, how'd you go about doing this. Normally, I just set a cookie that expires in a shortish amount of time (or sometimes use a session) to stop them... Is this the best way to do it? Maybe deny all attempts using that username for a set period of time?

No. The cracking attempts would come from an automated device that would ignore cookies and so forth. The security would need to be serverside. There are basically two ways to do it, or you could combine them:
1. Limit the number of all password attempts (=login attempts, etc.) from a single IP. (Or if you have another way to define the connection, that's equivalent. Usually IP though. Maybe a set of IPs. No more than 1,000 attempts from some range of IPs in case someone is rotating through a few.)
2. Limit the number of password attempts for a certain account-- if someone (=anyone) tries to log in to some user's account more than 5 (or 100) times in 1 hour, then block the account (permanently? until an email reset? for an hour?).
(3. Also, you could block all login attempts at some limit, if it looks like the entire site is under attack. But obviously that's not a good day-to-day solution.)

The main point I'd make here though is that most websites have a 5-attempt limit. I don't really like that. There are many websites on which I have accounts and I've forgotten my password but I know it's one of a dozen or so*. So I often lock myself out of my account. This is pointless. A brute force attack on a website would be thousands (or millions) of attempts. It's pretty obvious when someone has forgotten their own password (5 attempts? 100?) and when someone is blindly trying to guess their password (100+ attempts? 1000+?). For this reason I'd recommend setting a high limit, such as 100, or maybe just 20.
This is slightly less secure if friends/family are trying to guess the password, but you have to rely on your users to not have a really bad password, and for that matter if you have rules like 8+/symbol then they probably will have no chance at guessing it anyway, within any reasonable number of guesses-- even 1000.

(*On the other hand, I do appreciate the added security on websites I do care about and for which I know my passwords well. So if this is for a bank, a lower limit is acceptable. If it's for a site that people love, like DD, then perhaps a lower limit is also acceptable. But then what about all of those once-a-year DD visitors who probably forgot their password? Isn't the 5-attempt limit annoying for them? All of this is up to you. But regardless I still don't think 20 attempts is unreasonable unless this is intended to be the strongest type of security, such as for a bank.)

**traq** · 08-09-2012, 12:54 AM

As far as stopping brute force attempts, a simple and extremely effective method is to simply lock a user's account for 2 seconds after a login attempt.

Brute force relies on speed to be effective (two seconds is an eternity), whereas your real-people users can't focus (no autofocus after failed attempts) and type that fast anyway.

regarding james' suggestion, absolutely, passphrases are preferable to passwords, by a longshot - easier to remember, harder to hack.

**keyboard** · 08-09-2012, 01:10 AM

Hmmm... thanks for all that info guys!
What do you mean by passphrases? I didn't really understand the comic...

P.s. Welcome back traq? (haven't seen you online for ages...)

**djr33** · 08-09-2012, 02:44 AM

regarding james' suggestion, absolutely, passphrases are preferable to passwords, by a longshot - easier to remember, harder to hack.

I'm not sure about this. Having a symbol is still important, because that means more combinatorial possibilities. Longer phrases are better in some sense, but there's a point where I think it's overkill. Logically, passphrases are better than passwords, sure, but by how much, and is it worth all of that extra typing (and typos)?

**traq** · 08-09-2012, 04:49 AM

Originally Posted by keyboard1333

Hmmm... thanks for all that info guys!
What do you mean by passphrases? I didn't really understand the comic...

P.s. Welcome back traq? (haven't seen you online for ages...)

thanks! I had stuff to do. : )

Originally Posted by djr33

I'm not sure about this. Having a symbol is still important, because that means more combinatorial possibilities. Longer phrases are better in some sense, but there's a point where I think it's overkill. Logically, passphrases are better than passwords, sure, but by how much, and is it worth all of that extra typing (and typos)?

Code:

You Can $till Have Symbols!

At the end of the day, it's in the user's hands, so it's really something that's out of your control as a programmer... But a passphrase is just a hard-to-guess, easy-to-remember password.