Ensuring Strong Passwords

Introduction

In an earlier article, we saw about Encryption Algorithms and specifically about Message Digest 5 (MD5) algorithm. Whatever be the algorithm, there is also other set of preliminary guidelines for having passwords relatively stronger. I had an opportunity to investigate and do a small research on Application Security and Password Strength and Security.

Ascertaining that the user password is relatively safe and secure against brute force attacks, remains a crucial responsibility of the application itself. Perhaps the following guidelines. Perhaps, I would take this opportunity to make this simple article and I fervently hope that this article would surely help webmasters worldwide in ensuring that users of their applications have their passwords relatively safer and in proper strengths.

We would not cover any code description in this article, although we would touch the overall ideas involved. Perhaps to substantiate the topic and to explain it more, we would be touching code snippets in C#. I hope this should make the reader to be in a comfortable position in implementing the Strong Password algorithm in whatever language, he is implementing the application.

Password (Minimum) Guidelines

1. The application should ensure that the user password caters to a minimum length. A minimum of 8 characters like what MSN Hotmail uses should be a good example.
2. To prevent errors in remembering the passwords, the application has to restrict the password length to a definite maximum length and inform the user gracefully, if he exceeds, than just truncating the password to the application maximum cutoff size.
3. A password too simple like all numerals, all alphabets should be blocked off even at the first step and should be informed to the user immediately.
4. A password that is just alphanumeric can be further treated in the following way:
   1. The first character must be an alphabet and the last character must also be.
   2. The middle characters must have at least one number.
   3. At least one character must be a special character. Care should be taken when the user is entering an Extended ASCII character by using ALT+Numeric KeyPad since if the application is not able to cope up or handle with Unicode Character sequences, there might be mismatched passwords and the user may get confused.
5. Lexical Jugglery: Our application can detect simple alphabetical sequences like 'aaaaaaaa','aabbccdd','qwerty', which are either consecutive keys in the system keyboard or easy typing sequences (and of course, easy windows for brute force attacks and password sniffers or crackers), such weak points can be signalled to the user.
6. Additionally, since the user enters the profile information, the website or web application can check against passwords being similar to Date of Birth, Mother Maiden's Name etc. May be these items can be configured against a standard Rules Collection of the Application. If one or more of a match is encountered, an the component can flag a Weak Password and abort processing of the new password acceptance.
7. Detect Dictionary Words and just a dictionary word is used, then stop the user from entering such passwords. Perhaps there are free Webservices that are available to query online dictionaries, which helps us in achieving this purpose. Perhaps the following URL gives one free online dictionary webservice:
• http://dotnet.cyberthink.net/search.aspx
8. If possible, like Windows, our application can maintain a history of passwords to a definite length and if a password repetition is detected, it can signal an anomaly.

Password Generator Tools

The necessity of strong passwords and strength of passwords has increased since the worms and viruses that exploit weak passwords have increased multifold. Perhaps CodeProject itself has a lot of Password Generators which apply a diversified set of algorithms on punctuations, alphanumerics etc. in passwords.

1. http://www.codeproject.com/csharp/Favalias.asp
2. http://www.codeproject.com/csharp/PasswordDialog.asp
3. Microsoft BaseLine Security Analyzer:
   1. http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
      This really helps in finding out whether the Passwords in SQLServer, Windows Server etc are strong. We may need administrator privileges to run this program. It provides a nice HTML interface and report on various accounts that have weak passwords associated with them.

TODO

I am just planning to make a small webservice, which can be configured to the above conditions and if given a password, it would classify it as Strong or Weak password. Perhaps once I have implemented it, I would release it by updating this article along with its sourcecode, which I hope would be useful for developers implementing Application Security Models, without reinventing the wheel.

Summarizing

I hope the above article would really be helpful for people who are going towards design of Security Models in their application while deciding the strength of user passwords. Username and Password combinations have really come a long way. But brute force attacks, worms exploiting weak passwords (like SQLSlammer making use of blank sa password in SQLServer) have improved a lot too. Under these challenging Application Security Conditions, it is imperative that our application takes enough steps to ensure that their passwords are safe, which ensures both the security of the user accounts as well security and integrity of data and the application itself.

Do send me your feedback and what more can be included in this generic password validation and strong password generation and maintenance.