SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Thinking of switching to Pass-Phrases

    I'm debating whether I should require Pass-Phrases on my new website.

    Currently a Password must be...
    Code:
    - 8 to 15 Characters
    - At least one Uppercase
    - At least one Lowercase
    - At least one Number
    - At least one Special Character

    My concern is that if I make things to difficult for people, they simply won't become Members?!

    (Let's face it, not long ago most users struggled coming up with simple 6-8 character alphanumeric Passwords!!)


    Would it make sense to leave my Password requirements as-is, and then maybe do some articles and "member education" before then forcing people to create Pass-Phrases??

    Also, is the question, "How difficult must the Pass-Phrases be?"

    Some research shows that even Pass-Phrases aren't all that secure.



    Ideally, I would like to require the following...

    Pass-Phrases Requirements:
    Code:
    - 15 to 40 Characters
    - At least one Uppercase
    - At least one Lowercase
    - At least one Number
    - At least one Special Character

    Is that asking too much for the average user??


    If I am going to make the switch, I'd just assume do it now before I am done Testing my website. But as mentioned above, I'd hate to make things too technical and difficult and scare everyone away!!

    Suggestions?


    Debbie

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,680
    Mentioned
    20 Post(s)
    Tagged
    3 Thread(s)
    DD,

    You're to be commended on the password requirements you've had as they make breaking the passwords (if not dictionary words used) nearly impossible.

    Of course, increasing the length of the password (AND requiring the same mix of characters) will only strengthen the password but, IMHO, that's not a realistic burden to put on casual users.

    Please remember that Security is a trade-off between Risk, Cost and Convenience.

    Many websites (and cPanel) use a combination script to evaluate password strength and/or generate a strong one at the push of a button. You may want to search for one of those as that would handle the Convenience very nicely, be of low (probably no) Cost and the strength would minimize Risk.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    We made an algorithm that compare the password strength depending on what the user enter years ago, and at the start we used it to enforce that the accounts had a password at minimum "good" strength.

    As you have noticed, this can turn off some users from creating an account/buying your product. After we just left the algorithm as a visual guide (javascript) showing color codes as the user enter their password, we saw an increase in the number of users completing the signup, and surprisingly just having the visual aid on the password strength was enough for most people to create a stronger password.

    I noticed one of your password restrictions is that it need to be 8 to 15 characters. I would remove the max length as you dont care if the user enter a password that is eight characters or forty characters long, since the password is hashed before stored in the database the max length on the password does not matter.

  4. #4
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    A relevant webcomic on the subject: http://xkcd.com/936/
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  5. #5
    SitePoint Enthusiast bronze trophy \\.\'s Avatar
    Join Date
    Oct 2013
    Location
    UK
    Posts
    72
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You could try what my bank does.

    To log in to my banks internet banking you have a three step approach.

    #1 - entering your 10 digit internet banking account number
    #2 - enter three elements from your password, these are randomly requested
    for example if your password is "aSecurePassword" and the log in system asks you to enter characters 2,6,13 you would then need to enter S,r & o
    #3 - enter a reply to one of three questions that were set when you made the account
    a) Your favorite Movie or TV program
    b) Your favorite School Subject or Hobby
    c) A place memorable to you

    =====================================

    On the surface that doesn't look like much protection until you do the math, which I am not going to attempt to do because it is a seriously huge enormous number, possibly in the realms of a Google.

  6. #6
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by \\.\ View Post
    On the surface that doesn't look like much protection until you do the math, which I am not going to attempt to do because it is a seriously huge enormous number, possibly in the realms of a Google.
    The problem is that this is not a really as "secure" as it might seem.

    The only secure part of it is the password, and even that flawed since it means they store the passwords readable on their side (hopefully encrypted). In addition it forces you as a user, to start thinking since you need specific letters from the password text, and not the full thing.

    On point three, you would be surprised how easy questions like that can be "broken" by a little social engineering, especially these days with all the online systems people use (facebook, linkedin, twitter etc).

  7. #7
    SitePoint Enthusiast bronze trophy \\.\'s Avatar
    Join Date
    Oct 2013
    Location
    UK
    Posts
    72
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    It is very secure I can assure you because the hacker needs to know specific information about you, they would have to try and calculate a three (sepereate entries) of single letters each time you attempt a log in and you have another scenario of needing 1 of three randomly selected questions and answers.

    So you have a 10 digit account number, thats 10^10 * 10^9 * 10^8 * 10^7 * 10^6 * 10^5 * 10^4 * 10^3 * 10^2 * 10^1 * 65^3 * 65^2 * 65^1 * 3^3 * 3^ 2 * 3^1 = 5.49804E+68 combinations or there about.

    I am pretty sure that is a big enough number of combinations to secure an online bank account or any kind of passwording system. Sure all passwords are stored as a secure hashed code, what idiots would store passwords as items that can be decoded?

    As for breaking the case with social engineering, that is a matter of stupidity on peoples part for putting their life on line, sure I have a Facebook Account but screw Zuccerberg, all my personal information is wrong, birthday, place I live, etc... what kind of moron tells someone who sells your personal data about yourself?

    As for the questions, they are not "The Questions" they are an example to show how it works.

  8. #8
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    I agree that 8 to 15 characters is strong enough. If you really want to add more security I would add something like Google Authenticator (see http://blog.liip.ch/archive/2011/08/...r-and-php.html) so that people get a code from their phone that changes every 30 seconds they need to fill in along with the username and password.

    This is combination of something you know (i.e., your password), plus something you own (i.e., your phone), making it a very good security measure. Better than any password on its own, ever.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  9. #9
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by \\.\ View Post
    It is very secure I can assure you because the hacker needs to know specific information about you, they would have to try and calculate a three (sepereate entries) of single letters each time you attempt a log in and you have another scenario of needing 1 of three randomly selected questions and answers.
    If someone tries to hack a bank account, or any system at all through the website login system, then it is due to they at least have partial information about the account.

    There is no one who would try to brute force something unless you know you have at least one valid entity. I.e. username, bank account number etc. Else you just don't know which one is throwing the failure.

    Quote Originally Posted by \\.\ View Post
    I am pretty sure that is a big enough number of combinations to secure an online bank account or any kind of passwording system. Sure all passwords are stored as a secure hashed code, what idiots would store passwords as items that can be decoded?
    If you stop for a second, and think about how you explained the password phrase work, you will see that there is no way it can be stored hashed, as that is a one way encryption. I.e. you would need to enter the entire password phrase each time, instead of a section of it.

    Quote Originally Posted by \\.\ View Post
    As for the questions, they are not "The Questions" they are an example to show how it works.
    The major issue with this one is that they protect the account with the "password phrase characters", this is so your information is not captured and allowing someone else to login to your account. But the problem is that if someone is able to capture the information once, they just need to wait for you to access the bank account several times and the chance for them to be able to successfully login is quite large.

    Today, there is trojan horses which help criminals to even do money transfers from banks which use RSA keys for protection, which is a much more delicate process, since the lifespan of the RSA keys.

    Personally, I would not even use online banking unless they use a RSA key system, or at least onetime key based system (i.e. codes on a paper) which is applied both when you login, but also to approve every transaction.

    Quote Originally Posted by ScallioXTX View Post
    This is combination of something you know (i.e., your password), plus something you own (i.e., your phone), making it a very good security measure. Better than any password on its own, ever.
    This can be a good idea, assuming that your member group has access to a mobile phone that support the app. Though you can be using normal RSA key generators, they have actually became quite inexpensive the last few years.

    Though, for a normal membership website, it might be overkill due to the extra steps the users need to take to login.

    Also keep in mind, if the database is breached and they get the RSA ids (which is used to know what key is generated per user) then this security layer is broken, due to that its best to encrypt the id stored on the server side per user.

  10. #10
    SitePoint Enthusiast bronze trophy \\.\'s Avatar
    Join Date
    Oct 2013
    Location
    UK
    Posts
    72
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You forget that each character can be stored as a hash, so if your password is qazwer1234?p you have 12 characters that get encoded, the system knows that the characters sent via HTTPS are not coded until the server hashes each character and checks against the stored hash.

    If you allow non standard characters like my bank does, you have 65 potential variances of upper and lower case and non standard characters.

    The bank account number for online banking is not your account number, it is long enough to make the possible combinations too long to spend too much time, even if it is brute forced, the next problem to resolve is the 12 digit password that has 3 chosen characters at random and then one of three questions that are questions chosen by the user.

    You also have to know where the person banks and overcome HTTPS which is encrypted in any case.

    So if 5.49804E+68 combinations isn't big enough, even at a rate of 10 tries per second,

    we are talking about 1.74E+60 years to crack, sure that you would possible crack the combination earlier, this obviously assumes that you have to go through every combination to hack it and doesn't take in to account randomness or someone keeping the details written down.

    If the system was not secure, banks wouldn't use it, apart from that theirs another element with telephone banking attached to the online element that requires an additional 4 digit pin to access the menu and then you need the online banking log in...

  11. #11
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by \\.\ View Post
    If the system was not secure, banks wouldn't use it, apart from that theirs another element with telephone banking attached to the online element that requires an additional 4 digit pin to access the menu and then you need the online banking log in...
    I am sorry, but you are coming at this from the wrong angle. You assume that someone would "brute force" your bank login, which no one would ever try to do.

    By intercepting the data, by for example a targeted trojan which is the way bank accounts are "taken over" these days, the attacker will be able to get all of your information. So since there is no complete random item like a RSA key, as long as they monitor anyone using your bank long enough, they will gather enough information to have at high chance to get access to their account.

    Keep in mind that this kind of fraud is today a billion dollar industry, and different criminal organizations got their own software development companies these days.

    In regards to "if it was not secure, the banks would not use it" that is false by itself. In US several banks only require a username and password when you login, same in several east European countries (and possibly other places in the world). These banks would claim their login process is secure, but since they are not behind a large banking group they don't have the resources to roll out proper and secure solutions to their customers. Please note, that for some countries this development is slow due to the Internet banking does not give you full control over your assets yet, so even if someone get access to the account, the damage that can be done is limited.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •