Email Password Remember me?  Lost your password?

Introduction

In an earlier article, we saw about Encryption Algorithms and specifically about Message Digest 5 (MD5) algorithm. Whatever be the algorithm, there is also other set of preliminary guidelines for having passwords relatively stronger. I had an opportunity to investigate and do a small research on Application Security and Password Strength and Security.

Ascertaining that the user password is relatively safe and secure against brute force attacks, remains a crucial responsibility of the application itself. Perhaps the following guidelines. Perhaps, I would take this opportunity to make this simple article and I fervently hope that this article would surely help webmasters worldwide in ensuring that users of their applications have their passwords relatively safer and in proper strengths.

We would not cover any code description in this article, although we would touch the overall ideas involved. Perhaps to substantiate the topic and to explain it more, we would be touching code snippets in C#. I hope this should make the reader to be in a comfortable position in implementing the Strong Password algorithm in whatever language, he is implementing the application.

Password (Minimum) Guidelines

1. The application should ensure that the user password caters to a minimum length. A minimum of 8 characters like what MSN Hotmail uses should be a good example.
2. To prevent errors in remembering the passwords, the application has to restrict the password length to a definite maximum length and inform the user gracefully, if he exceeds, than just truncating the password to the application maximum cutoff size.
3. A password too simple like all numerals, all alphabets should be blocked off even at the first step and should be informed to the user immediately.
4. A password that is just alphanumeric can be further treated in the following way:
   1. The first character must be an alphabet and the last character must also be.
   2. The middle characters must have at least one number.
   3. At least one character must be a special character. Care should be taken when the user is entering an Extended ASCII character by using ALT+Numeric KeyPad since if the application is not able to cope up or handle with Unicode Character sequences, there might be mismatched passwords and the user may get confused.
5. Lexical Jugglery: Our application can detect simple alphabetical sequences like 'aaaaaaaa','aabbccdd','qwerty', which are either consecutive keys in the system keyboard or easy typing sequences (and of course, easy windows for brute force attacks and password sniffers or crackers), such weak points can be signalled to the user.
6. Additionally, since the user enters the profile information, the website or web application can check against passwords being similar to Date of Birth, Mother Maiden's Name etc. May be these items can be configured against a standard Rules Collection of the Application. If one or more of a match is encountered, an the component can flag a Weak Password and abort processing of the new password acceptance.
7. Detect Dictionary Words and just a dictionary word is used, then stop the user from entering such passwords. Perhaps there are free Webservices that are available to query online dictionaries, which helps us in achieving this purpose. Perhaps the following URL gives one free online dictionary webservice:
• http://dotnet.cyberthink.net/search.aspx
8. If possible, like Windows, our application can maintain a history of passwords to a definite length and if a password repetition is detected, it can signal an anomaly.

Password Generator Tools

The necessity of strong passwords and strength of passwords has increased since the worms and viruses that exploit weak passwords have increased multifold. Perhaps CodeProject itself has a lot of Password Generators which apply a diversified set of algorithms on punctuations, alphanumerics etc. in passwords.

1. http://www.codeproject.com/csharp/Favalias.asp
2. http://www.codeproject.com/csharp/PasswordDialog.asp
3. Microsoft BaseLine Security Analyzer:
   1. http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
      This really helps in finding out whether the Passwords in SQLServer, Windows Server etc are strong. We may need administrator privileges to run this program. It provides a nice HTML interface and report on various accounts that have weak passwords associated with them.

TODO

I am just planning to make a small webservice, which can be configured to the above conditions and if given a password, it would classify it as Strong or Weak password. Perhaps once I have implemented it, I would release it by updating this article along with its sourcecode, which I hope would be useful for developers implementing Application Security Models, without reinventing the wheel.

Summarizing

I hope the above article would really be helpful for people who are going towards design of Security Models in their application while deciding the strength of user passwords. Username and Password combinations have really come a long way. But brute force attacks, worms exploiting weak passwords (like SQLSlammer making use of blank sa password in SQLServer) have improved a lot too. Under these challenging Application Security Conditions, it is imperative that our application takes enough steps to ensure that their passwords are safe, which ensures both the security of the user accounts as well security and integrity of data and the application itself.

Do send me your feedback and what more can be included in this generic password validation and strong password generation and maintenance.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

One glaring oversight. Mike Whitenton 10:25 14 Oct '03   Every password cracker relies on 1 basic thing, being able to attempt as many combinations as it takes until the correct password is found. How do ATM cards get away with using only a 4 digit numeric only password? Simple. If you attempt to use an incorrect pin more than 3 times the machine takes the card! Another example is the Credit Card CVV2 code which is only 3 numeric digits! Having a "maximum incorrect password attempts" is the key to preventing hacking of passwords. The practical way to meet user demands for easy to remember passwords and keep things secure is to... 1. Require a minimum password length. 2. Prevent easily guessed passwords. Requiring Alpha and Numeric is very easy to implement. 3. Lock the account if more than the Maximum incorrect password attempts is exceeded. A nice method is give 2 or 3 attempts. Send an email to the users address letting them know that there were 2 or 3 attempts made to enter an incorrect password. Give them the correct password in this email. Give them 1 more attempt. If incorrect again then lock the account until they communicate with the administrator. Require them to change the password the next time they sucessfully logon. 4. Give the person the option of having their password sent to them at the email address defined in their user profile, if they forgot it. Why is it that so many books and articles on security omit the standard practices? Even CodeProject uses this method. Mike Whitenton Sign In·View Thread·PermaLink Re: One glaring oversight. Doug Gale 11:02 15 Oct '03   Mike Whitenton wrote: How do ATM cards get away with using only a 4 digit numeric only password? Simple. If you attempt to use an incorrect pin more than 3 times the machine takes the card! Another example is the Credit Card CVV2 code which is only 3 numeric digits! Locking the account after a certain number of incorrect attempts opens up the possibility of mounting a denial of service attack. All a hacker has to do is use a program that uses a dictionary of common usernames, connect for each username, and deliberately get the password wrong three times. After a while, many many accounts will be locked down. Debit cards are not vulnerable because you actually have to have the card to attempt to break in. So, the best way to make a program strong against dictionary attack, is to make it vulnerable to a denial-of-service attack. Sign In·View Thread·PermaLink 5.00/5 Re: One glaring oversight. Mike Whitenton 13:42 15 Oct '03   True. It really depends on just how secure you need it to be. It would be a good idea to add to the items I listed a couple of other things. 5. Require password changes periodically. In the event an account has been compromised. 6. Have the account lockout release after a period of time. 1 to 4 hours seems to be common. This attempts to keep denial of service attacks to a minimum. 7. Keep a log of the invalid attempts on an accounts password. After a maximum number of lockouts have occured increase the lockout release time. Inform the use that their account's security needs to be increased due to hacking attempts. Have them change their password. Possibly keep a password history so users do not reuse their old passwords again, it should be encrypted. If invalid attempts continue, the user and/or administrator should change the user's logon name also. Tell the user that they should increase their password length. 8. A review of invalid attempts on passwords and user logon names should be done to determine the nature of the attempts. 9. If attempts continue the entire security infrastructure should be reviewed. Consider hiring a security company to help with the issue. They may recommend the FBI's cyber crime unit become involved. 10. Educate yourself on security issues and their solutions. Sign In·View Thread·PermaLink Security of password kundan_ash 21:49 10 Sep '04   hi, how i can encrypt password at client side using javasrcipt and decrypt it using c#. There is something RSA for secruity purpose. how it can be helpfull.before sending password to server i want to encrypt it. but we know any one can see the javascript bye viewing source. how i can make it more secure. as i am begginer in .NET. i dont have much knowledge. Ashish Sign In·View Thread·PermaLink This article is not relevant to C# section! Igor Gribanov 12:18 11 Oct '03   Sign In·View Thread·PermaLink Re: This article is not relevant to C# section! dog_spawn 3:29 12 Oct '03   I agree. Without code, this article should be deleted. Please do not bother with a web service. Just make a class. It would be useful to many people if you wrote a class rather than just writing a load of theory... Sign In·View Thread·PermaLink 5.00/5 Utter bilgewater Jim A. Johnson 10:10 11 Oct '03   With all due respect; this attitude is part of what makes computers so damn hard to use. Users don't like passwords. When we're forced to use them, we like to use something we can remember. This busines of forcing users to use cryptic, unrememberable passwords just makes the whole process harder to deal with, and results in passwords written on Post-its, stuck to the computer. Sign In·View Thread·PermaLink Re: Utter bilgewater dog_spawn 3:28 12 Oct '03   What you say is partially true but you do need strong passwords. For example matching username and password should not be allowed. I do not think you have to force cryptic passwords. I understand your point but it's not really relevant. Your opinion might change if someone, say, took over your codeproject account and edited your messages... Sign In·View Thread·PermaLink Re: Utter bilgewater JohnD2003 17:41 18 Oct '03   Microsoft Research have come up with an interesting idea for creating strong passwords... take a look here: http://research.microsoft.com/displayArticle.aspx?id=417 Sign In·View Thread·PermaLink

Last Visit: 22:49 21 Nov '09     Last Update: 22:49 21 Nov '09 1