How (un)secure do you consider passwords

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

How (un)secure do you consider passwords

Post by matthijs »

We all know passwords should be long and complicated. the shorter and less complicated, the less secure, in general.

I know it's impossible to answer exactly, but what do you think about online passwords consisting of 5 numbers? I understand it's a judgment issue. But if you were to build a web app, would you accept to have passwords of five numbers?

Wordpress used to have passwords like that, but now switched to longer (8-10 characters) and random (all kinds of characters) passwords being generated.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How (un)secure do you consider passwords

Post by onion2k »

5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: How (un)secure do you consider passwords

Post by Eran »

the more possible combinations the password has and the more random (ie, not dictionary words, pet's name etc.) it is, the stronger it will be. I would say a minimum of 8 random alphanumerical characters for good protection.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How (un)secure do you consider passwords

Post by superdezign »

There are more alphabetic characters than numerical.

I feel it is insecure to force users to do anything with their passwords. This gives brute-force programs guidelines to go by when trying to determine a password.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: How (un)secure do you consider passwords

Post by matthijs »

onion2k wrote:5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
That's what I thought. I don't know the ins and outs of brute forcing, but 5 single numbers seemed little to me already.

In this case the passwords have been generated randomly and users cannot change them. But even then 5 digits is weak, as I guessed and you guys seem to confirm.
superdezign wrote:I feel it is insecure to force users to do anything with their passwords. This gives brute-force programs guidelines to go by when trying to determine a password.
I feel the same way. As soon as I let users change their own password, about 35% of them will change it to "password5" or something as strong as that. I see it all over the place with any non-technical persons.
pytrin wrote:I would say a minimum of 8 random alphanumerical characters for good protection.
Ok. That seems about the same thing I did. I changed all plain text 5 digit passwords in sha256 hashed 8 character alpha-numeric ones.

The issue is now that the client wants the 5-digits passwords back. I advised him not to, but his response was "it has gone wel so far"...
So at this point I either do what he wants or use the stronger passwords. I don't feel like going for the first option, as that feels irresponsible. And I'm sure I get blamed when the site gets hacked
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: How (un)secure do you consider passwords

Post by onion2k »

matthijs wrote:The issue is now that the client wants the 5-digits passwords back. I advised him not to, but his response was "it has gone wel so far"...
What's happened in the past is irrelevant. It's the chance of something going wrong in the future that's the concern.

However...

Things like user password security is a trade off. You need to trade increased security against losing customers who find the system too complicated. You also need to trade weaker security against customers leaving because they don't trust the site. It's not an easy thing to settle on. And ultimately the choice is up to the client.

Three salient questions to ask the client are;

1. What sort of losses are possible (or likely) if an account is breached? If this is a share trading website with thousands of dollars in user accounts then it's a big deal. If it's a blog then it's not.

2. Who is accountable if there's a breach of an account? Can you get it in writing that the client is happy going against your approved solution?

3. Does the client have insurance against being sued should a hacked customer decide that they've suffered a financial loss due to their account details being compromised?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: How (un)secure do you consider passwords

Post by Eran »

It's probably easier to increase security by other measures, such as throttling log-in attempts, adding SSL encryption etc. You can't rely on users unless you really force their hand and sometimes that's not an option.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: How (un)secure do you consider passwords

Post by matthijs »

That's some great feedback.

@onion2k:
1. It's a kind of member section which is behind a login. So members login and then can view each others info. It's name and address info. So most probably you'll be able to find that info from the same persons online elsewhere anyway, but still I consider that valuable personal info which must be dealt cautiously with.
2. I'll consider that
3. I'll ask them. The client is totally non-technical though, so he'll not know that and just throw the question back

@pytrin: I'll look into those two options. I did look shortly at throttling log-in attempts, but even though that seems simple at first sight, if you read more about it it's a lot more complicated (since IP adresses can be spoofed, etc)
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: How (un)secure do you consider passwords

Post by arjan.top »

show the captcha after >2 attempts to login (per username), it would stop the attack for some time
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: How (un)secure do you consider passwords

Post by Eran »

since IP adresses can be spoofed, etc
Even spoofed, it's very hard to change IP multiple times per second for any reasonable duration.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How (un)secure do you consider passwords

Post by kaisellgren »

A 5-digit password is very weak in my opinion.
matthijs wrote:The issue is now that the client wants the 5-digits passwords back.
Well, that sucks. :P I agree with onion2k's post. User password security is a trade off indeed. Remember that you are the programmer and you can't always blindly do what your clients want you to do. Using 5-digit passwords puts everyone in danger, not just the one who wants to use it (your lovely client) unless you give your users a choice what kind of passwords to use which would be nice.
onion2k wrote:5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
And even if there's a limit of 10 attempts, a farm of 100 computers (which is easy to achieve, e.g., exploiting a university) would break it with a probability of 10% and the flood protection will probably reset at some point.

The password would be almost useless if someone really wants to get in.
arjan.top wrote:show the captcha after >2 attempts to login (per username), it would stop the attack for some time
This gets better. We have now two free attempts per IP. Assuming that the CAPTCHA is secure, we now need 500 computers to break it with the same probability. Personally, I can access roughly over 300 computers (read: different IPs) myself on three different universities ( :) ) and make them to do this. We assumed that the CAPTCHA was secure. If it's not, we can brute force forever per IP unless we make a restriction for that too. All this is not an easy task to complete, but certainly possible.

5-digit passwords? No way.

If your client wants simplicity, how about using certificates for logins? The pros are that the users don't need to remember anything and the cons are that the users need to have the certificate installed on the computer they use to login (less portability, but the same certificate can be installed on multiple machines though). The benefit of using certificates is obvious: a 1024-bit certificate, for instance, would have a strength of 1024-bits compared to this delightful 5-digit password that has a strength of ~13-bits. With such certificates, brute forcing attempts would be doomed.
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: How (un)secure do you consider passwords

Post by arjan.top »

kaisellgren wrote:
arjan.top wrote:show the captcha after >2 attempts to login (per username), it would stop the attack for some time
This gets better. We have now two free attempts per IP. Assuming that the CAPTCHA is secure, we now need 500 computers to break it with the same probability. Personally, I can access roughly over 300 computers (read: different IPs) myself on three different universities ( :) ) and make them to do this. We assumed that the CAPTCHA was secure. If it's not, we can brute force forever per IP unless we make a restriction for that too. All this is not an easy task to complete, but certainly possible.
not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How (un)secure do you consider passwords

Post by kaisellgren »

arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Ah, ok. I wouldn't like to enter CAPTCHAs every time I want to login though..
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How (un)secure do you consider passwords

Post by superdezign »

kaisellgren wrote:
arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Ah, ok. I wouldn't like to enter CAPTCHAs every time I want to login though..
Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway. I feel that anything that can be done to slow down brute forcers and prevent brute force bots is good. Some websites try to prevent hacking by forcing secure passwords upon their users. Others allow their users to freely make a password and just protect them via their system. I prefer the latter.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How (un)secure do you consider passwords

Post by kaisellgren »

superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.
Post Reply