tags:

views:

286

answers:

10
+3  Q: 

Should I allow a 2-char password?

This may sound like a frivolous question, but those in the security field will get it. Should I let the user enter any number of characters as long as it's greater than 0 chars. My logic is:

  1. the password is going to be hashed and salted anyway, and
  2. it's more fun for someone doing a rainbow table to NOT have any length/other guidelines, but
  3. my concern is the brute force dictionary attacks.

Am I sort of on the right track with this?

Since I'm asking the lower limit question, I might as well ask about the upper limit? Again, it's going to be hashed and salted, so db size is not an issue. Then the only issue I can think of in this case is buffers more than anything else, right?

Update For those coming late to the question

So the general consensus seems to be confirming what I initially thought, that the risk of brute force increases. However, the RT cracker's job is not going to be made that much difficult by the fact that they have no clues as to the size. It may in fact be made easier since they start with lower character tables anyway. Correct? (Not to mention the non-technical concerns that have now come up with looking over someone's shoulder, etc. which aren't as big a concern for longer password.)

So the conclusion is: even if you hash/salt the password, short passwords are still a risk

For long passwords however, I'm not sure I have a conclusive answer? Should I worry about buffer overflows, it's still a regular input field after all.

+1  A: 

No. Ideally passwords of 8 characters including numbers and characters is good. 14 or more characters would be even better.

Nathan Z  2009-10-21 19:01:31
14 or more ? I would never want to log into your apps.
JonH  2009-10-21 19:04:18
@JonH - This is not a minimum, but an upper limit, which was asked in the question.
James Black  2009-10-21 19:06:24
Why exactly are upper limits a good thing? I have a 22-character password that I often use, and it really annoys me when I have to shorten it for a particular site.It's not as annoying as the sites which don't allow you to use symbols in your password admittedly.
lhnz  2009-10-21 19:41:00
+2  A: 

Even if it will be hashed, the user types in a password, and 2 characters is trivial to break.

I think for an upper-end, why have a limit, but for a lower-end, 6 characters seems like a reasonable one, I would prefer that 7 be the minimum for security though.

James Black  2009-10-21 19:01:37
Even if users used special characters (which they don't), a 7 character password is only a 46 bit space. Way too small.
erickson  2009-10-21 19:06:22
@erickson - If people feel comfy with that short of one, then they should be able to pick, but for a reasonable lower limit I would like to see 7, but why have an upper limit.
James Black  2009-10-21 19:08:14
If people feel comfy driving after downing a six pack, should they be allowed to? An administrative user who feels comfy picking a poor password could be putting thousands of users at risk.
erickson  2009-10-21 19:19:10
You should have security for what you are protecting. So, a website that has some password, but nothing on there that is too important I may use a shorter password. The passphrase I use for digital signatures on emails was probably 40 words long (well over 200 characters). If an administrator doesn't understand security he shouldn't be doing that job. What are you protecting? That will determine security.
James Black  2009-10-21 19:27:24
+1  A: 

#3 is the key: 2-3 char passwords are too vulnerable to dictionary attacks (too few combinations, and thus able to include the universe in the attack combinations).

Upper limit is irrelevant but anything over 20 characters means that the user is likely to be copying/pasting most, which is bad practice that should not be encouraged.

DVK  2009-10-21 19:01:42
I disagree. I have used much longer passwords on sites that allow that by creating pass-phrases (sentences) and not passwords.
Espo  2009-10-21 19:03:52
I said "likely", not "always" :) - you are the exception, but vast majority of users would not be able to handle typing >20char password even if it is a pass-phrase. It's not only issue of memorizing, but of typing.
DVK  2009-10-21 19:11:32
"Dice words" and other techniques can easily produce secure, memorable passwords longer than 20 characters.
erickson  2009-10-21 19:11:36
I have a 22-character password. There are a few repeated symbols. I'd just like to say it really annoys me when I am not able to use it. Especially on sites where it just silently breaks my user account. :[
lhnz  2009-10-21 19:33:36
@erickson - and how many users know of and use such techniques vs. storing a long password in a text file and copy/paste? Also, as I said, the problem is not so much memorizing the PW, but typing it in. heck, I make typos in 9 character ones frequently enough.
DVK  2009-10-21 19:33:46
@DVK: One might argue that having an ultra-long password is a sign of a security-conscious individual. Is it really right to assume that the kind of person that picks a very long password is going to put it in a text file?
lhnz  2009-10-21 19:44:33
+1  A: 

The people making the rainbow table will probably start with all 1-char length passwords and will then find the short passwords very quickly.

Regarding maximum length you should have none.

Espo  2009-10-21 19:02:22
+5  A: 

No. That's just silly.

If your passwords are properly hashed and salted, rainbow tables are a non-issue, incidentally.

chaos  2009-10-21 19:02:27
+1 for the linky
DVK  2009-10-21 19:13:35
+1  A: 

It leaves your users very susceptible to strangers glancing over their shoulders, doesn't it?

Then, it doesn't really matter whether you black out the password characters in the form or not - if someone sees that they only have two characters in their password, it'll be easy for them to try combinations until they figure it out.

PreciousBodilyFluids  2009-10-21 19:02:41
+1  A: 

The problem with two-letter passwords is social engineering. Somebody may observe the user only typing two keys, and then a brute-force attack becomes realistic (even without writing a program).

If you can rule out such a case (because nobody would ever observe somebody typing a password), I'd argue that a two-letter password is fine even in the light of dictionary attacks. Somebody performing such an attack would still have to try out all realistic combinations, and if you don't prevent regular words from being used as passwords, there is no point in banning two-letter combinations.

Martin v. Löwis  2009-10-21 19:03:46
Watching a password entry is not social engineering. Social engineering is posing as a trustworthy person / an authority to get a user to give out his password voluntarily.
Martin Hohenberg  2009-10-21 19:05:08
So is there a technical term for "finding a password through physical/personal interaction"?
Martin v. Löwis  2009-10-21 19:26:17
Maybe "social engineering" isn't the correct term, but certainly a valid reply.
Chris  2009-10-21 19:34:19
Shoulder-surfing.
erickson  2009-10-21 23:15:45
*All* combinations of letters up to four characters are tried by the Password Recovery Toolkit: http://www.schneier.com/blog/archives/2007/01/choosing_secure.html These aren't first on the list to try, though.
erickson  2009-10-22 04:34:28
+6  A: 

It will leave the attacker with just 1296 options to guess the particular users password.

Dasa  2009-10-21 19:04:26
Not necessarily true. Imagine that standard user selections are limited to standard keys, say: 52 for letters, 20 for numerals and shifted symbols, and 22 for other standard symbols so, a pool of say, 94. While this may be giving the user (and allowed characters) credit, it creates *whopping* 8836 choices at 2 characters. (However, I agree that this pool is trivially small).
pst  2009-10-21 19:16:03
But throttling is in action too, is it still a concern?
Chris  2009-10-21 19:21:31
Depends. Imagine the scenario that one attempt can be made every 10 seconds and the attacker starts a brute force at 2 characters (they have done research, for instance): 8836 choices could be cracked in at most 88360 seconds (~1 day). However, the "average" would be half of that and a smarter selection of the brute-force generation based upon character frequencies could reduce that even further.
pst  2009-10-21 19:37:53
(Of course, that also assumes the user only has a 2 character password; a 2 character minimum limit is not quite the same as a 2 character upper limit :-)
pst  2009-10-21 19:39:02
+2  A: 

The security requirements should be created in relation to the worth of what is being protected and the damage (or liability caused by the damage) that can occur should it be compromised.

Sometimes these are mandated by an organization, client or protocol and turning to such sources for guidance may save hassle in the end and, in more secure cases, may include things such as the use of RSA fobs, security cards or finger-print readers.

Personally, I get annoyed when a site requires some terribly complicated password. I think that 6 characters, including one symbol/number is a fair requirement for, say, a site such as stackoverflow. On my bank account? Let's just say the password is a tad more complex.

But there are additional fundamental security concerns:

  • Brute force and dictionary attacks only practically work if tests may be applied [very] fast. This is why modern UNIX systems use a shadow password file -- it minimizes the chance of collecting passwords for brute force attacks. While "lockouts" can be annoying, they can also practically prevent simple brute forces.
  • Social engineering: "Can I play your character?" What's the name of your girlfriend? Do you write the password down or expose it while being entered? (Is anyone looking?) Is the password you use common for different sites/purposes?
  • Do other "features" circumnavigate security? Can a password be reset or is the current password e-mailed? What restrictions are there on a reset?
  • Is security compromised through other means (HTTP vs. HTTPS or telnet vs. SSH, accessible [plain-text] storage, etc.).
  • And by biggest peeve: Standard security questions. Google for "Sarah Palin Email Hacked". Please, please, please do not go down this route without careful consideration.
pst  2009-10-21 19:26:24
More semantics pulled out of what appears to be the ISC2 study guide. A password alone is insecure regardless of what hashing, salting or line level encryption is in play because it's a single method of security: something you know. Security is about layers and obsfucation.
Nissan Fan  2009-11-04 20:18:10
+1  A: 

Let the user pick any password they want. Put a password strength meter up, but don't restrict the password. It is not your password, it is theirs.

I. J. Kennedy  2009-11-06 15:12:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases