Highly Secure yet User-Friendly Passwords?!

[DoubleDee]

What "approach gives you the MOST SECURE PASSWORDS that are also high on the USER-FRIENDLY scale??

I am building a new site, and decided to use the following Password Requirements...

Code:

    At least 1 Upper-Case Letter
    At least 1 Lower-Case Letter
    At least 1 Number
    At least 1 Special Character
    Between 8-15 Characters

To my dismay, I got slammed in this SitePoint reply

DeathShadow then added on to this...

I'm with the folks saying 'bad' on the requirements -- in fact one of your requirements makes it EASIER to crack, the short length... see the xkcd comic on the subject.. Passwords like that are a social engineering disaster as users will end up writing it down on a sticky pad on the monitor or under the keyboard because they can't remember it. (or worse shove it into a password 'manager' tool)

But I'm the nut who allows 127 character passwords if the user wants to have it. Security is still PEBKAC, but for the people who aren't a problem, give them the tools to not be a problem... forcing case sensitive nonsense, numbers, special characters and then putting a absurdly short length on it? Doesn't actually make it more secure.

Besides, 15 characters annoys me since my standard passwords are 18 to 32 characters in length.

Was it really such a "Mortal Sin" for me to require Upper-Case, Lower-Case, Numbers, and Special Characters in my Passwords??

Would requiring a Pass-Phrase be better??

Should I give people the choice??

Other ideas??

So what do you think?

What makes equation for the MOST SECURE PASSWORDS that are ALSO USER-FRIENDLY??

I know this is a highly contested topic, but like most things, I am sure there is an answer that best addresses the problem at hand!

Okay, let the cage match begin...


Debbie

[logic_earth]

Really the only thing you should really set is a minimum length, like 8 characters or so. If a user sets a weak password that is there own doing, trying to force a user is not going to help any. The only thing you can do is make sure your side of things keeps the user's data safe.

While we are on the disscussion of passwords, what you should not do is restrict passwords in any way. By that I mean, allow everything and anything to be submitted as a password. "SELECT * FROM fauxtable" should be a valid password. Savy? The reason you can accept anything as a password, the moment you run it though a digest (hash) function it only contains known values. (When a digest is encoded in hexadecemial it only contains 0-9 a-f as a string)

[samanime]

This: http://xkcd.com/936/

That is a comic, but at the same time it is 100% correct. A password like "i want some pie" is way more secure than "p4$Sw0rD!", not to mention easier to remember and type, but harder for a computer to guess, largely because it just contains more letters and thus wouldn't be tried for quite some time.

I just read DS' reply and he also mentions the xkcd comic. It may be a comic, but it is 100% accurate.

I'm with DS on this one... allow really long passwords (somewhere in the neighborhood of 100 characters sounds good). As logic_earth said, don't put any restrictions on it either. Once it's hashed a " becomes the same as an A. All of those password character restrictions (no special characters, etc.) are really from an antiquated time in computer programming. The contents of the password should mean very little to you (in terms of what to prevent from coming in). Give them a minimum length (8 sounds good, but I would recommend you recommend longer to your users).

The most common forms of hacking nowadays aren't actually "hacking"... it's social engineering. The one method DS mentioned is common: complex password, written on Post-it stuck to computer monitor or hidden under keyboard. Any brute force method can be stopped by proper controls (locking an account after 3-10 failed attempts... I highly recommend the larger number). The other common method people will get in is through security flaws in the code, and no user password is going to save you from this one.

[DoubleDee]

I'm with DS on this one... allow really long passwords (somewhere in the neighborhood of 100 characters sounds good).

I'm open to that.

As logic_earth said, don't put any restrictions on it either. Once it's hashed a " becomes the same as an A. All of those password character restrictions (no special characters, etc.) are really from an antiquated time in computer programming. The contents of the password should mean very little to you (in terms of what to prevent from coming in). Give them a minimum length (8 sounds good, but I would recommend you recommend longer to your users).

But I just spent the last eek or to learning how to keep my Passwords safe in my database, and it is incorrect to say "Because user passwords get hashed, using 'LetMeIn' or 'Password' is just as safe as 'j2#Mh87K*1'"

If you understand how Rainbow Tables work, then you'll know that the first two examples above are guaranteed to be in a Rainbow Table whereas the last one is not...

I agree that longer Passwords are one of your best tools into fighting them being guess, but it is naive to things that English words under 10 characters are safe because they get hashed!

The most common forms of hacking nowadays aren't actually "hacking"... it's social engineering. The one method DS mentioned is common: complex password, written on Post-it stuck to computer monitor or hidden under keyboard.

First off, that is not "Social Engineering"...

Secondly, any password which others can see in plain sight is not a secure password!

Any brute force method can be stopped by proper controls (locking an account after 3-10 failed attempts...

And my question was based around whether 8-15 random ASCII characters meeting my Password Restrictions is safer or is there a better strategy.

Using my way, on an English keyboard you have 94 different key combinations - at least on my MacBook - for each position times to the 8th power on the low end and the 15th power on the high end. Seems pretty strong to me...


Debbie

[samanime]

I know exactly how rainbow tables work. =) I never said that "LetMeIn" is as strong as "j2#Mh87K*1". What I said was restricting users from using a symbol now a days is silly. You often see things that say "no special characters" or "only @$&", etc. Those are pointless nowadays.

You actually have your numbers switched. If you 94 possible characters, a password with 8 characters is 8^94. =p Regardless, it's still a huge number.

And no, my example isn't the classic definition of social engineering. It's more like passive social engineering, because the would-be hacker doesn't have to do anything other than find a Post-it. =p However, in an office environment (especially a large one) this can be very dangerous and is a very frequent process (in the office I work we have probably 30 people; I bet if I was given a half hour I could find 15 of their passwords).

The complex passwords with nonsense characters is what causes them to write it down. If it's something simple like "i want some pie", that is just as secure (as it's 15 characters, that's a lot of possible guesses). It's just as secure (if not more secure) from traditional hacking methods and it's also less likely to be written down or something easily guessed (like a child's name which is another common password).

Is what you describe secure? Probably
Is it a bit silly? Probably

And like the xkcd comic described, even with those requirements (notice the comic meets your requirements ), a simple long password is still more secure.

[logic_earth]

You may want to see: https://www.grc.com/haystack.htm
It details that length is more important then having different characters and symbols.

If you understand how Rainbow Tables work, then you'll know that the first two examples above are guaranteed to be in a Rainbow Table whereas the last one is not...

They would only be in a rainbow table if you improperly store your passwords. Salting and peppering passwords avoids the issue of rainbow tables. I gave an example of how I do it here: http://www.sitepoint.com/forums/show...=1#post5052378

Furthermore, rainbow tables are only a concern if the attacker gets your database. They are not useful otherwise.

[DoubleDee]

I know exactly how rainbow tables work. =) I never said that "LetMeIn" is as strong as "j2#Mh87K*1". What I said was restricting users from using a symbol now a days is silly. You often see things that say "no special characters" or "only @$&", etc. Those are pointless nowadays.

Okay, but to be clear, I am not restricting people.

You actually have your numbers switched. If you 94 possible characters, a password with 8 characters is 8^94. =p Regardless, it's still a huge number.

Nope. For an 8 character password it would be 94*94*94*94*94*94*94*94 = 94^8

The complex passwords with nonsense characters is what causes them to write it down. If it's something simple like "i want some pie", that is just as secure (as it's 15 characters, that's a lot of possible guesses). It's just as secure (if not more secure) from traditional hacking methods and it's also less likely to be written down or something easily guessed (like a child's name which is another common password).

Well, I agree that longer is better, but you know as well as I do that if a lot of people's pass-phrases will become...

- I like pie
- I like the New York Yankees
- I like SitePoint
- How Now Brown Cow
etc.

And if it doesn't already exist, there is probably a honking big Rainbow Table with hashes for all of these obvious Pass=Phrases already calculated...

Now, if you chose something like, "Using HTML Tables for formatting is antiquated" then that might be better.

Is what you describe secure? Probably
Is it a bit silly? Probably

It is also par for the course in many environments. Doesn't make it the best, but it is better than 8-digit free-form Passwords which means [a-zA-Z]{8}...


Debbie

[samanime]

Sorry, you're right about the number. It's been a long day. =p

The point of a rainbow table is to basically condense down lots and lots of large calculations. If you wind up with a super giant rainbow table, you are almost at step one anyways. Also, it'd take quite a while to even bring a rainbow table like that into existence. And, as logic_earth said, rainbow tables only matter if they get a copy of your database. Even then, as he mentioned, if it's properly salted, a rainbow table is still unlikely to do them any good unless the can also get a hold of your encryption algorithm and you are using an encryption algorithm that can be decrypted... if they can get all of that you have much bigger security issues than issue user passwords.

Add on top of that the fact that they would have to be able to run many tries against your site, you can just block failed attempts after x-number of tries.

Rainbow tables are just one tiny portion of hacking, and in this case, not one of that is very likely that will be deployed.

What you mentioned is kind of the "typical" approach to passwords which lots of people use. However, they all use it because someone before them used it. There isn't much actual factual basis for why that is the typical strategy nowadays. It just "sounds" good. Like that website logic mentioned, EVERY password, no matter how complex, can eventually be found. It's just a matter of "Will that be too soon . . . or enough later?"

If you want to actually use a password that is more likely to keep you safe, go with the xkcd approach (I love that I'm quoting a comic for security matters =p).

[EastCoast]

Disagree that there shouldn't be any restriction on what a user can enter. It's never a good idea to allow the username and password be the same, or the most common stupids like 'password' '1234' etc

[samanime]

I agree with that and it's a good point. I wasn't thinking in terms of that.

When I said there shouldn't be any restrictions, I was thinking in terms of individual characters being restricted.

[DoubleDee]

You may want to see: https://www.grc.com/haystack.htm
It details that length is more important then having different characters and symbols.

Thanks for the link, but Steve Gibson is a nut-job and Leo Laporte must be getting kick-backs from Steve?!

Steve makes some valid points, but it is also clear he was NOT a Math major - like I was - because on spot check, some of his calculations are off. Also, he says things that are wrong in practical terms, for example, his "D0g........." drival

At any rate, I have always agree that longer passwords are better.

What I am interested in is...

If I make the minimum password length 15-20 (and up to like 60 characters), thus requiring Pass Phrases (instead of Passwords), is it reasonable to drop my "One Upper-Case, One Lower-Case, One Digit, and One Special Character" requirements altogether??


Debbie

[ralph.m]

Was it really such a "Mortal Sin" for me to require Upper-Case, Lower-Case, Numbers, and Special Characters in my Passwords?

I prefer not to be told what I have to use in my passwords, as I have a system I use for creating passwords that, while secure, makes them easier for me to remember. Perhaps just set a minimum number of characters, and encourage people to make them complex enough so that they are reasonably secure (via a little message in a box).

Some sites have a colored bar that rates the security level of the password you are typing in, which has some merit, in my view.

[DoubleDee]

I prefer not to be told what I have to use in my passwords, as I have a system I use for creating passwords that, while secure, makes them easier for me to remember.

Fair enough.

Perhaps just set a minimum number of characters, and encourage people to make them complex enough so that they are reasonably secure (via a little message in a box).

So what Minimum Length is acceptable to you?

If I left alone "Ralph's Password System" BUT I required your Passwords to be AT LEAST 15 Characters, what would you say??

Some sites have a colored bar that rates the security level of the password you are typing in, which has some merit, in my view.

When I have time - maybe Release #3 - I hope to build my own "Password Strength Meter"...


Debbie

[ralph.m]

If ... I required your Passwords to be AT LEAST 15 Characters, what would you say?

I consider that too long, personally. I'd say min-8 is fair enough. Remember that, if you make it too difficult for me to sign up, I probably won't bother. I have hundreds of passwords (sigh) but I've never been made to have at least 15 characters.

[DoubleDee]

I consider that too long, personally. I'd say min-8 is fair enough. Remember that, if you make it too difficult for me to sign up, I probably won't bother. I have hundreds of passwords (sigh) but I've never been made to have at least 15 characters.

Come on, Ralph, you're talking out of both sides of your mouth?!

Earlier you were complaining - along with others - because my Password requirements were "so restrictive"...

So I backed off requiring Users to have to use all kinds of different characters, and instead proposed using a l-o-n-g-e-r password like suggested here.

You sure seem hard to please on this topic...


Debbie

[ralph.m]

I dunno what you are talking about. Just allow me to choose my own password, minimum of 8 characters. How easy is that? 15 characters is too long. If someone wants a password phrase 200 words long, telling a story about their pet horse or whatever, then fine, let them ... but don't expect me to do it.

[samanime]

Something ralph.m is alluding to is: let the user worry about it. If they choose something stupid simple and get hacked, it sucks to be them. If an ordinary user is hacked, the worse they can do is mess with that individual users account. With all the keyloggers and social engineering out there, even if you required 200 character passwords, you'll still have users that get hacked.

I hope you aren't putting so much effort into this unlikely avenue for hacking that you are missing other, much more likely types of attacks.

[DoubleDee]

Something ralph.m is alluding to is: let the user worry about it. If they choose something stupid simple and get hacked, it sucks to be them. If an ordinary user is hacked, the worse they can do is mess with that individual users account. With all the keyloggers and social engineering out there, even if you required 200 character passwords, you'll still have users that get hacked.

I don't know if I buy that, and THAT is what worries me...

"Left to their own devices, people - especially Users of my system - will f*** things up 95% of the time!!!"

I hope you aren't putting so much effort into this unlikely avenue for hacking that you are missing other, much more likely types of attacks.

Just really worried about security and trying to not end up in the news!!!

Yes, I know there are MANY places where my website could fail, and that is why I'm being so thorough, on this and hopefully ALL topics.

BTW, back to my current argument with Ralph, so help me pick a fair compromise...

I don't like Ralph's "Let users do as they wish"!!!

I am somewhat flexible on password schemes IF it doesn't lead me down a path of insecurity.

Personally, I like DeathShadow's idea of longer Pass-Phrases, but obviously people like Ralph do not like that.

Any ideas to help me move forward?

Thanks,


Debbie

P.S. After I get my Original Post figured out, feel free to append your "Dirty Dozen" list of other places you think I could get whacked by a hacker!!

[logic_earth]

Do what you want. It won't actually matter in this case. Even if you force a set pattern for passwords your users will still mess up 95% of the time. As you said. The insecurity of passwords comes from the end-users side of things, they can have a secure complicated password, yet a foolish mistake on their part is all it takes. Your site has no bearing on it.

So my 2 cents, you are over thinking this whole thing.

[molona]

I don't like Ralph's "Let users do as they wish"!!!

Actually, even DS has said "let them do as they wish" which, in his case, is using long character passwords

And I let them do what they wish because... when I'm asked for a password; I want to do what I wish too! My memory is mine and it works as it pleases... so I don't want anyone telling me which words\set of characters I need to remember

[samanime]

I thought this was relevant: http://www.smbc-comics.com/index.php...&id=2237#comic

[CoastWeb]

Forget forcing character sets or schemes on users. A password strength meter combined with the backend to deny weak passwords will help a user choose a strong password. For example if they are entering an 8 character password, make them use a combination of upper and lower case and numbers, by rejecting passwords that don't.

If they enter a really long password like "correct horse battery staple", then allow them not to use special chars/numbers etc.

In doing so you will allow users to choose long secure passwords, without annoying them because they have to change all their e's to 3's to satisfy a number criteria that really only applies to making short passwords secure.

[DoubleDee]

Forget forcing character sets or schemes on users. A password strength meter combined with the backend to deny weak passwords will help a user choose a strong password. For example if they are entering an 8 character password, make them use a combination of upper and lower case and numbers, by rejecting passwords that don't.

If they enter a really long password like "correct horse battery staple", then allow them not to use special chars/numbers etc.

In doing so you will allow users to choose long secure passwords, without annoying them because they have to change all their e's to 3's to satisfy a number criteria that really only applies to making short passwords secure.

I agree that this approach is the best of both worlds.

When there is time, I hope to build my own "Password Strength Meter" so Users can choice the type/style of strong password that they most prefer.

(And I'll have to further consult with Ralph and make sure there is a "Ralph-type" password scheme too...)



Debbie

[samanime]

The one thing to keep in mind is this: with those password reminders, you may just have people adding random characters to get it to pass, but it may wind up being something they can't remember and they constantly have to reset their password.

I would be sure to have verbiage to indicate what you recommend for them.

[DoubleDee]

The one thing to keep in mind is this: with those password reminders, you may just have people adding random characters to get it to pass, but it may wind up being something they can't remember and they constantly have to reset their password.

I would be sure to have verbiage to indicate what you recommend for them.

Duly noted!

Thanks,


Debbie