Page 1 of 2
How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 4:15 am
by matthijs
We all know passwords should be long and complicated. the shorter and less complicated, the less secure, in general.
I know it's impossible to answer exactly, but what do you think about online passwords consisting of 5 numbers? I understand it's a judgment issue. But if you were to build a web app, would you accept to have passwords of five numbers?
Wordpress used to have passwords like that, but now switched to longer (8-10 characters) and random (all kinds of characters) passwords being generated.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 5:20 am
by onion2k
5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 5:36 am
by Eran
the more possible combinations the password has and the more random (ie, not dictionary words, pet's name etc.) it is, the stronger it will be. I would say a minimum of 8 random alphanumerical characters for good protection.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 6:23 am
by superdezign
There are more alphabetic characters than numerical.
I feel it is insecure to force users to do anything with their passwords. This gives brute-force programs guidelines to go by when trying to determine a password.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 7:01 am
by matthijs
onion2k wrote:5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
That's what I thought. I don't know the ins and outs of brute forcing, but 5 single numbers seemed little to me already.
In this case the passwords have been generated randomly and users cannot change them. But even then 5 digits is weak, as I guessed and you guys seem to confirm.
superdezign wrote:I feel it is insecure to force users to do anything with their passwords. This gives brute-force programs guidelines to go by when trying to determine a password.
I feel the same way. As soon as I let users change their own password, about 35% of them will change it to "password5" or something as strong as that. I see it all over the place with any non-technical persons.
pytrin wrote:I would say a minimum of 8 random alphanumerical characters for good protection.
Ok. That seems about the same thing I did. I changed all plain text 5 digit passwords in sha256 hashed 8 character alpha-numeric ones.
The issue is now that the client wants the 5-digits passwords back. I advised him not to, but his response was "it has gone wel so far"...
So at this point I either do what he wants or use the stronger passwords. I don't feel like going for the first option, as that feels irresponsible. And I'm sure I get blamed when the site gets hacked
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 7:54 am
by onion2k
matthijs wrote:The issue is now that the client wants the 5-digits passwords back. I advised him not to, but his response was "it has gone wel so far"...
What's happened in the past is irrelevant. It's the chance of something going wrong in the future that's the concern.
However...
Things like user password security
is a trade off. You need to trade increased security against losing customers who find the system too complicated. You also need to trade weaker security against customers leaving because they don't trust the site. It's not an easy thing to settle on. And ultimately the choice is up to the client.
Three salient questions to ask the client are;
1. What sort of losses are possible (or likely) if an account is breached? If this is a share trading website with thousands of dollars in user accounts then it's a big deal. If it's a blog then it's not.
2. Who is accountable if there's a breach of an account? Can you get it
in writing that the client is happy going against your approved solution?
3. Does the client have insurance against being sued should a hacked customer decide that they've suffered a financial loss due to their account details being compromised?
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 8:07 am
by Eran
It's probably easier to increase security by other measures, such as throttling log-in attempts, adding SSL encryption etc. You can't rely on users unless you really force their hand and sometimes that's not an option.
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 8:37 am
by matthijs
That's some great feedback.
@onion2k:
1. It's a kind of member section which is behind a login. So members login and then can view each others info. It's name and address info. So most probably you'll be able to find that info from the same persons online elsewhere anyway, but still I consider that valuable personal info which must be dealt cautiously with.
2. I'll consider that
3. I'll ask them. The client is totally non-technical though, so he'll not know that and just throw the question back
@pytrin: I'll look into those two options. I did look shortly at throttling log-in attempts, but even though that seems simple at first sight, if you read more about it it's a lot more complicated (since IP adresses can be spoofed, etc)
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 12:17 pm
by arjan.top
show the captcha after >2 attempts to login (per username), it would stop the attack for some time
Re: How (un)secure do you consider passwords
Posted: Tue Sep 08, 2009 2:33 pm
by Eran
since IP adresses can be spoofed, etc
Even spoofed, it's very hard to change IP multiple times per second for any reasonable duration.
Re: How (un)secure do you consider passwords
Posted: Sat Sep 12, 2009 1:17 am
by kaisellgren
A 5-digit password is very weak in my opinion.
matthijs wrote:The issue is now that the client wants the 5-digits passwords back.
Well, that sucks.

I agree with onion2k's post. User password security is a trade off indeed. Remember that you are the programmer and you can't always blindly do what your clients want you to do. Using 5-digit passwords puts everyone in danger, not just the one who wants to use it (your lovely client) unless you give your users a choice what kind of passwords to use which would be nice.
onion2k wrote:5 numbers is 10,000 possible combinations. A well written brute-force script could break that in minutes if there isn't any flood protection.
And even if there's a limit of 10 attempts, a farm of 100 computers (which is easy to achieve, e.g., exploiting a university) would break it with a probability of 10% and the flood protection will probably reset at some point.
The password would be almost useless if someone really wants to get in.
arjan.top wrote:show the captcha after >2 attempts to login (per username), it would stop the attack for some time
This gets better. We have now two free attempts per IP. Assuming that the CAPTCHA is secure, we now need 500 computers to break it with the same probability. Personally, I can access roughly over 300 computers (read: different IPs) myself on three different universities (

) and make them to do this. We assumed that the CAPTCHA was secure. If it's not, we can brute force forever per IP unless we make a restriction for that too. All this is not an easy task to complete, but certainly possible.
5-digit passwords? No way.
If your client wants simplicity, how about using certificates for logins? The pros are that the users don't need to remember anything and the cons are that the users need to have the certificate installed on the computer they use to login (less portability, but the same certificate can be installed on multiple machines though). The benefit of using certificates is obvious: a 1024-bit certificate, for instance, would have a strength of 1024-bits compared to this delightful 5-digit password that has a strength of ~13-bits. With such certificates, brute forcing attempts would be doomed.
Re: How (un)secure do you consider passwords
Posted: Sun Sep 13, 2009 4:09 am
by arjan.top
kaisellgren wrote:
arjan.top wrote:show the captcha after >2 attempts to login (per username), it would stop the attack for some time
This gets better. We have now two free attempts per IP. Assuming that the CAPTCHA is secure, we now need 500 computers to break it with the same probability. Personally, I can access roughly over 300 computers (read: different IPs) myself on three different universities (

) and make them to do this. We assumed that the CAPTCHA was secure. If it's not, we can brute force forever per IP unless we make a restriction for that too. All this is not an easy task to complete, but certainly possible.
not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Re: How (un)secure do you consider passwords
Posted: Sun Sep 13, 2009 4:34 am
by kaisellgren
arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Ah, ok. I wouldn't like to enter CAPTCHAs every time I want to login though..
Re: How (un)secure do you consider passwords
Posted: Sun Sep 13, 2009 10:02 am
by superdezign
kaisellgren wrote:arjan.top wrote:not per ip, per username, you add a counter to the user table, every unsuccessful attempt would increment the count, count would be set to 0 when captcha is solved
Ah, ok. I wouldn't like to enter CAPTCHAs every time I want to login though..
Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway. I feel that anything that can be done to slow down brute forcers and prevent brute force bots is good. Some websites try to prevent hacking by forcing secure passwords upon their users. Others allow their users to freely make a password and just protect them via their system. I prefer the latter.
Re: How (un)secure do you consider passwords
Posted: Mon Sep 14, 2009 10:31 am
by kaisellgren
superdezign wrote:Well, if you can't remember your password after 2 unsuccessful tries, you should be requesting "Reset Password" soon anyway.
Not exactly my point. I'm receiving from 200 to 300 attempts for usernames "admin" and "kaisellgren" in one of my websites everyday. So, I would be typing CAPTCHAs for each login procedure.