Click here to Skip to main content
Click here to Skip to main content

Ensuring Strong Passwords

, 10 Oct 2003 CPOL
Rate this:
Please Sign up or sign in to vote.
In this article, we will discuss a very brief technique and an overall idea of how to keep passwords sufficiently strong, so that a brute force generation and hack attempt could be blocked easily.

Introduction

In an earlier article, we saw about Encryption Algorithms and specifically about Message Digest 5 (MD5) algorithm. Whatever be the algorithm, there is also other set of preliminary guidelines for having passwords relatively stronger. I had an opportunity to investigate and do a small research on Application Security and Password Strength and Security.

Ascertaining that the user password is relatively safe and secure against brute force attacks, remains a crucial responsibility of the application itself. Perhaps the following guidelines. Perhaps, I would take this opportunity to make this simple article and I fervently hope that this article would surely help webmasters worldwide in ensuring that users of their applications have their passwords relatively safer and in proper strengths.

We would not cover any code description in this article, although we would touch the overall ideas involved. Perhaps to substantiate the topic and to explain it more, we would be touching code snippets in C#. I hope this should make the reader to be in a comfortable position in implementing the Strong Password algorithm in whatever language, he is implementing the application.

Password (Minimum) Guidelines

  1. The application should ensure that the user password caters to a minimum length. A minimum of 8 characters like what MSN Hotmail uses should be a good example.
  2. To prevent errors in remembering the passwords, the application has to restrict the password length to a definite maximum length and inform the user gracefully, if he exceeds, than just truncating the password to the application maximum cutoff size.
  3. A password too simple like all numerals, all alphabets should be blocked off even at the first step and should be informed to the user immediately.
  4. A password that is just alphanumeric can be further treated in the following way:
    1. The first character must be an alphabet and the last character must also be.
    2. The middle characters must have at least one number.
    3. At least one character must be a special character. Care should be taken when the user is entering an Extended ASCII character by using ALT+Numeric KeyPad since if the application is not able to cope up or handle with Unicode Character sequences, there might be mismatched passwords and the user may get confused.
  5. Lexical Jugglery: Our application can detect simple alphabetical sequences like 'aaaaaaaa','aabbccdd','qwerty', which are either consecutive keys in the system keyboard or easy typing sequences (and of course, easy windows for brute force attacks and password sniffers or crackers), such weak points can be signalled to the user.
  6. Additionally, since the user enters the profile information, the website or web application can check against passwords being similar to Date of Birth, Mother Maiden's Name etc. May be these items can be configured against a standard Rules Collection of the Application. If one or more of a match is encountered, an the component can flag a Weak Password and abort processing of the new password acceptance.
  7. Detect Dictionary Words and just a dictionary word is used, then stop the user from entering such passwords. Perhaps there are free Webservices that are available to query online dictionaries, which helps us in achieving this purpose. Perhaps the following URL gives one free online dictionary webservice:
  8. If possible, like Windows, our application can maintain a history of passwords to a definite length and if a password repetition is detected, it can signal an anomaly.

Password Generator Tools

The necessity of strong passwords and strength of passwords has increased since the worms and viruses that exploit weak passwords have increased multifold. Perhaps CodeProject itself has a lot of Password Generators which apply a diversified set of algorithms on punctuations, alphanumerics etc. in passwords.

  1. http://www.codeproject.com/csharp/Favalias.asp
  2. http://www.codeproject.com/csharp/PasswordDialog.asp
  3. Microsoft BaseLine Security Analyzer:
    1. http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
      This really helps in finding out whether the Passwords in SQLServer, Windows Server etc are strong. We may need administrator privileges to run this program. It provides a nice HTML interface and report on various accounts that have weak passwords associated with them.

TODO

I am just planning to make a small webservice, which can be configured to the above conditions and if given a password, it would classify it as Strong or Weak password. Perhaps once I have implemented it, I would release it by updating this article along with its sourcecode, which I hope would be useful for developers implementing Application Security Models, without reinventing the wheel.

Summarizing

I hope the above article would really be helpful for people who are going towards design of Security Models in their application while deciding the strength of user passwords. Username and Password combinations have really come a long way. But brute force attacks, worms exploiting weak passwords (like SQLSlammer making use of blank sa password in SQLServer) have improved a lot too. Under these challenging Application Security Conditions, it is imperative that our application takes enough steps to ensure that their passwords are safe, which ensures both the security of the user accounts as well security and integrity of data and the application itself.

Do send me your feedback and what more can be included in this generic password validation and strong password generation and maintenance.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Vasudevan Deepak Kumar
Software Developer
India India
Vasudevan Deepak Kumar is from Chennai, India who has been in the programming career since 1994, when he was 15 years old. He has his Bachelors of Engineering (in Computer Science and Engineering) from Vellore Engineering College. He also has a MBA in Systems from Alagappa University, Karaikudi, India.
He started his programming career with GWBasic and then in his college was involved in developing programs in Fortran, Cobol, C++. He has been developing in Microsoft technologies like ASP, SQLServer 2000.
His current focus is ASP.NET, C#, VB.NET, PHP, SQL Server and MySQL. In his past-time, he listens to polite Carnatic Music. But the big question is that with his current Todolist backlog, does he get some past time?
Follow on   Twitter   LinkedIn

Comments and Discussions

 
GeneralNeed Improvement PinmemberAbinash Bishoyi19-Jun-10 12:51 
GeneralOne glaring oversight. PinmemberMike Whitenton14-Oct-03 10:25 
GeneralRe: One glaring oversight. PinmemberDoug Gale15-Oct-03 11:02 
GeneralRe: One glaring oversight. PinmemberMike Whitenton15-Oct-03 13:42 
GeneralSecurity of password Pinmemberkundan_ash10-Sep-04 21:49 
GeneralThis article is not relevant to C# section! PinmemberIgor Gribanov11-Oct-03 12:18 
Sleepy | :zzz:
GeneralRe: This article is not relevant to C# section! Pinmemberdog_spawn12-Oct-03 3:29 
GeneralUtter bilgewater PinmemberJim A. Johnson11-Oct-03 10:10 
GeneralRe: Utter bilgewater Pinmemberdog_spawn12-Oct-03 3:28 
GeneralRe: Utter bilgewater PinmemberJohnD200318-Oct-03 17:41 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.141216.1 | Last Updated 11 Oct 2003
Article Copyright 2003 by Vasudevan Deepak Kumar
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid