SitePoint Sponsor

User Tag List

Results 1 to 19 of 19

Hybrid View

  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,756
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    What makes a good Pass-Phrase??

    I would like to up-the-notch on my security practices and try to start using "Pass-Phrases" instead of a simple "Password". (A friend told me that using "password123" isn't as secure as I once thought?!)


    1.) How long does a Pass-Phrase have to be, to be effective?

    2.) If it is long enough, can it be a simple English sentence, of does it have to be... "AG13 di%n@#md394786!!*dkDHpnwQ"

    3.) What are some practical tips to remembering it?

    4.) Any other bits of wisdom you security experts can share?

    Sincerely,


    Debbie

  2. #2
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    If you consider this article, then length is what's most important.

    This cool tool seems to concur.

    I usually use a sentence containing seemingly random combinations of words that makes some sense to me.
    <cfset myblog = "http://cydewaze.org/">

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,784
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

    Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

    I remember reading somewhere that Windows chunks the password in 7 character sections for processing which has the unexpected result that an 8 character long password there can be easier to crack than a 7 character one and 15 characters can be easier to crack than 14 - since depending on what you know about the person cracking the single character may provide clues as to what the rest are likely to be.

    If the site places limitations on password entry - such as locking the account completely after three wrong guesses or locking the account for a few seconds after each wrong guess - then a brute force attack is far less likely to work and alternate approaches to trying to crack a password are less reliant on the length of the password - so that a three character password and a thirty character password regardless of what they contain are not significantly different in how secure they are.


    Using a password or pass phrase by itself is not as secure as was once thought. Systems requiring greater security now require more than just a value supposedly known only to you in order to gain access. Often they require that you also enter a code generated or sent to a device that you carry where that code is only valid for a minute or two - meaning that gaining access also requires that you have the device available to generate the unique code. Some are even looking at fingerprints and similar as further identification.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,756
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

    Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

    Currently, I require Passwords to have....
    Code:
    	At least 1 Upper-Case Letter
    		- At least 1 Lower-Case Letter
    		- At least 1 Number
    		- At least 1 Special Character
    		- Between 8-15 Characters

    And when a user registers or re-sets a Password, I use this code...
    PHP Code:
            // Create Salt.
            
    $salt substr(sha1(uniqid(mt_rand(), true)), 010);


            
    // Create Hash.
            
    $hash hash_hmac('sha512'$pass $saltVINEGAR); 

    Unfortunately, I have not had the time or resources to add code that locks things out after multiple or rapid attempts, although I could do this down the road.


    So how does what I just described fit into what you are saying, plus my OP about "What makes a good Pass-Phrase"??

    Sincerely,


    Debbie

  5. #5
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

    So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"
    <cfset myblog = "http://cydewaze.org/">

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,756
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cydewaze View Post
    To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

    So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"
    So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?


    Debbie

  7. #7
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?
    Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

    I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.
    <cfset myblog = "http://cydewaze.org/">

  8. #8
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,756
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cydewaze View Post
    Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

    I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.
    Not sure I want to take the time to change my Password code to Pass-Phrase code before I go live, but I will definitely start using that soon enough.

    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?

    Sincerely,


    Debbie

  9. #9
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,096
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?
    To be honest, I pay more attention to minimum lengths than maximum ones, so I can't really answer that. I generally use passphrases for SSH access to Linux machines, and they usually have a huge max length.

    Don't forget that (like felgall mentioned) hashed passwords are all the same length when stored.
    <cfset myblog = "http://cydewaze.org/">

  10. #10
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,784
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?
    The upper limit should be infinite. The practical limit will be the maximum length that can be passed in a form field.

    Once it gets to the server a trillion character password will take up as much space as a one character password once it has been hashed so there is no reason to set arbitrary maximums.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •