SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    What makes a good Pass-Phrase??

    I would like to up-the-notch on my security practices and try to start using "Pass-Phrases" instead of a simple "Password". (A friend told me that using "password123" isn't as secure as I once thought?!)


    1.) How long does a Pass-Phrase have to be, to be effective?

    2.) If it is long enough, can it be a simple English sentence, of does it have to be... "AG13 di%n@#md394786!!*dkDHpnwQ"

    3.) What are some practical tips to remembering it?

    4.) Any other bits of wisdom you security experts can share?

    Sincerely,


    Debbie

  2. #2
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,074
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    If you consider this article, then length is what's most important.

    This cool tool seems to concur.

    I usually use a sentence containing seemingly random combinations of words that makes some sense to me.
    <cfset myblog = "http://cydewaze.org/">

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

    Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

    I remember reading somewhere that Windows chunks the password in 7 character sections for processing which has the unexpected result that an 8 character long password there can be easier to crack than a 7 character one and 15 characters can be easier to crack than 14 - since depending on what you know about the person cracking the single character may provide clues as to what the rest are likely to be.

    If the site places limitations on password entry - such as locking the account completely after three wrong guesses or locking the account for a few seconds after each wrong guess - then a brute force attack is far less likely to work and alternate approaches to trying to crack a password are less reliant on the length of the password - so that a three character password and a thirty character password regardless of what they contain are not significantly different in how secure they are.


    Using a password or pass phrase by itself is not as secure as was once thought. Systems requiring greater security now require more than just a value supposedly known only to you in order to gain access. Often they require that you also enter a code generated or sent to a device that you carry where that code is only valid for a minute or two - meaning that gaining access also requires that you have the device available to generate the unique code. Some are even looking at fingerprints and similar as further identification.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

    Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

    Currently, I require Passwords to have....
    Code:
    	At least 1 Upper-Case Letter
    		- At least 1 Lower-Case Letter
    		- At least 1 Number
    		- At least 1 Special Character
    		- Between 8-15 Characters

    And when a user registers or re-sets a Password, I use this code...
    PHP Code:
            // Create Salt.
            
    $salt substr(sha1(uniqid(mt_rand(), true)), 010);


            
    // Create Hash.
            
    $hash hash_hmac('sha512'$pass $saltVINEGAR); 

    Unfortunately, I have not had the time or resources to add code that locks things out after multiple or rapid attempts, although I could do this down the road.


    So how does what I just described fit into what you are saying, plus my OP about "What makes a good Pass-Phrase"??

    Sincerely,


    Debbie

  5. #5
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,074
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

    So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"
    <cfset myblog = "http://cydewaze.org/">

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cydewaze View Post
    To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

    So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"
    So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?


    Debbie

  7. #7
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,074
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?
    Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

    I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.
    <cfset myblog = "http://cydewaze.org/">

  8. #8
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cydewaze View Post
    Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

    I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.
    Not sure I want to take the time to change my Password code to Pass-Phrase code before I go live, but I will definitely start using that soon enough.

    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?

    Sincerely,


    Debbie

  9. #9
    SitePoint Wizard bronze trophy cydewaze's Avatar
    Join Date
    Jan 2006
    Location
    Merry Land, USA
    Posts
    1,074
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?
    To be honest, I pay more attention to minimum lengths than maximum ones, so I can't really answer that. I generally use passphrases for SSH access to Linux machines, and they usually have a huge max length.

    Don't forget that (like felgall mentioned) hashed passwords are all the same length when stored.
    <cfset myblog = "http://cydewaze.org/">

  10. #10
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?
    The upper limit should be infinite. The practical limit will be the maximum length that can be passed in a form field.

    Once it gets to the server a trillion character password will take up as much space as a one character password once it has been hashed so there is no reason to set arbitrary maximums.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  11. #11
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The upper limit should be infinite. The practical limit will be the maximum length that can be passed in a form field.

    Once it gets to the server a trillion character password will take up as much space as a one character password once it has been hashed so there is no reason to set arbitrary maximums.
    I'm not understanding you here...

    If Person #1 sets a Pass-Phrase as "Hi", and it gets hashed to, so, a 40 character Hash, and Person #2 sets a Pass-Phrase" to "I ate 1000 bowls of chicken soup for breakfast this morning at my grandma's house in Miami", and it also gets hashed to, so, a 40 character Hash, then I don't see how the Length matters?!


    Also, could you please comment on whether the approach and code I posted above is secure?

    Sincerely,


    Debbie

  12. #12
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    then I don't see how the Length matters?!
    1. You need to at least add a salt to the password when hashing it - that then means that two passwords that would otherwise have mapped to the same hash will now map to different hashes and that if someone has reused the same password across different sites that because your site uses a different salt to the other sites where they used it that finding a value that works for one site will not allow the finder to break into another site that uses the same password.

    2. A longer password is harder to guess than a shorter one. This makes little difference to brute force attacks processing thousands of guesses a second but makes a big difference if the site only allows three guesses before locking the account or only allows one guess every ten seconds (and will ignore all but the first guess if the guesses are made faster than that)

    Switching from a short password to a longer passphrase is what the users can do to build on the security of their login provided that the site has already implemented salted hashes and blocks brute force attacks. If those security measures are not implemented by the site then their account will be insecure regardless of what password or passphrase they choose.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  13. #13
    SitePoint Enthusiast scout1idf's Avatar
    Join Date
    Nov 2009
    Location
    Ohio
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    then I don't see how the Length matters?!

    If you have an upper limit of say 50 characters, then your user can't use a pass phrase like "I ate 1000 bowls of chicken soup for breakfast this morning at my grandma's house in Miami" if they want to.

    Felgall's suggestions about "salting" and a minimum character limit of 30 would help with security.

    Just my opinion...

  14. #14
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Stephen, you're not reading what I said above...

    Quote Originally Posted by felgall View Post
    1. You need to at least add a salt to the password when hashing it
    And I showed code above that does that us a Salt... (If you look above, you'll also see I use Vinegar...)


    2. A longer password is harder to guess than a shorter one.
    Again, if all passwords get hashed to a hash that is the same length, then I am not understanding where length comes it???

    If the password "Hi" gets hashed to "1234567890xxxxxxxxxx1234567890xxxxxxxxx"

    ...and the password "This is a much longer pass-phrase which should be more secure" gets hashed to "0987654321yyyyyyyyyy0987654321yyyyyyyyyy"

    ...then is seems to me that the hackers just have to hack a 40-digit password in each case??


    It also seems to me that if my Pass-Phrase is 150 characters, and it gets hashed to 40-characters, then I lose 110 characters of Pass-Phrase security...


    Debbie

  15. #15
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,907
    Mentioned
    139 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    If the password "Hi" gets hashed to "1234567890xxxxxxxxxx1234567890xxxxxxxxx"

    ...and the password "This is a much longer pass-phrase which should be more secure" gets hashed to "0987654321yyyyyyyyyy0987654321yyyyyyyyyy"

    ...then is seems to me that the hackers just have to hack a 40-digit password in each case??
    That's not the case, because hackers need to find the password that maps to the hash, they don't need to fill in the hash that you store in the database in the login form (I hope ). So in order to log in they need to find that one string [password] that -combined with salt, vinegar, what have you- maps to the hash you have stored in the database (in some hashing algorithms like md5 there may be multiple strings that map to the same hash, but the chances are extremely low and most have people have moved on to something like sha1 anyway).

    So in that case a longer password really does make it more secure because there are lot more possibilities that with a shorter password. For simplicity sake if you only consider letters (lower and upper case) and numbers, every position you add to the password multiplies the number of possibilities a hacker has to go to by 62, and in general the number of possibilities is 62^(number of characters). Use some graph software to draw that function, see what happens
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  16. #16
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.


    Quote Originally Posted by ScallioXTX View Post
    That's not the case, because hackers need to find the password that maps to the hash, they don't need to fill in the hash that you store in the database in the login form (I hope ). So in order to log in they need to find that one string [password] that -combined with salt, vinegar, what have you- maps to the hash you have stored in the database (in some hashing algorithms like md5 there may be multiple strings that map to the same hash, but the chances are extremely low and most have people have moved on to something like sha1 anyway).
    So hackers are trying to guess just the Password, and obviously, a shorter Password is easier to guess than a long one, right?

    And the fact that a Password of Length=2 or Length=200 gets reduced to a Hash Length=40 shouldn't really be a concern of mine, right?

    But tell me more about these "collisions"?

    If "password123" and "cotton candy" both resolve to "1234567890xxxxxxxxxx1234567890yyyyyyyyyy", then do I have to worry that User 1 could hack into User 2's account?

    And could that collision break my PHP code or my database?

    I guess I am not understanding where this would cause issues?


    So in that case a longer password really does make it more secure because there are lot more possibilities that with a shorter password. For simplicity sake if you only consider letters (lower and upper case) and numbers, every position you add to the password multiplies the number of possibilities a hacker has to go to by 62, and in general the number of possibilities is 62^(number of characters). Use some graph software to draw that function, see what happens
    Do you use pass-phrases?

    If so, how long on average?

    And if so, can you share in general terms the "formula" you use to achieve a level of security that you are happy with?

    For example, would a Pass-Phrase like this be good enough for starters...

    "I love spending my Saturday's at the library"

    Thanks,


    Debbie

  17. #17
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Do you use pass-phrases?
    I don't. I try to avoid using sites that don't have proper security installed. For sites that do have proper security anyone trying to break in gets at most five guesses as to what the password or passphrase is and so the length doesn't really matter - ATMs that would provide access to your money only allow four digit numbers as passwords and three guesses and they are considered to be secure enough for that purpose so provided that the number of guesses is limited and the password length is greater than three characters the account isn't likely to be compromised that way.

    It is the lack of proper security where someone can make a million guesses every few minutes that a longer password or phrase would take significantly longer to guess than a shorter one (centuries rather than days).

    Of course it is easier to break in when they don't have to guess completely at random what the password is and instead use social media to work out what your password is most likely to be or use some means of actually capturing it (such as installing a keylogger on your computer) - in those cases it can make little or no difference what your password is.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  18. #18
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,907
    Mentioned
    139 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    So hackers are trying to guess just the Password, and obviously, a shorter Password is easier to guess than a long one, right?
    Right

    Quote Originally Posted by DoubleDee View Post
    And the fact that a Password of Length=2 or Length=200 gets reduced to a Hash Length=40 shouldn't really be a concern of mine, right?
    Right

    Quote Originally Posted by DoubleDee View Post
    But tell me more about these "collisions"?

    If "password123" and "cotton candy" both resolve to "1234567890xxxxxxxxxx1234567890yyyyyyyyyy", then do I have to worry that User 1 could hack into User 2's account?
    No. The only thing that could happen is that multiple passwords work for a user, but as I said the chance is extremely small. If you use sha1 you shouldn't worry about this.

    Quote Originally Posted by DoubleDee View Post
    And could that collision break my PHP code or my database?
    Nope.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  19. #19
    SitePoint Member
    Join Date
    May 2013
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well good password is the combination of Alphabets ,number and special character . you can protect your password for hacker if you know the way of hacking and weak point of password .


    See http://shoutingblogger.blogspot.com/...om-hacker.html
    Last edited by Mittineague; May 7, 2013 at 11:56. Reason: fixing link


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •