tags:

views:

559

answers:

9
+6  Q: 

How do you enforce strong passwords?

There are many techniques to enforce strong passwords on website:

  • Requesting that passwords pass a regex of varying complexity
  • Setting the password autonomously, so that casual users have a strong password
  • Letting passwords expire
  • etc.

On the other hands there are drawbacks, because all of them make life less easy for the user, meaning less registrations.

So, what techniques do you use? Which provide the best protection vs. inconvenience ratio?

To clear things up, I am not referring to banking sites or sites that store credit cards. Think more in terms of popular (or not-so-popular) sites that still require registration.

+1  A: 

The best way really depends on your site and what you are using. But the ideal way is to do as much on the client side as you can before they submit it. Using RegEx is a good way. If you can make them not have to submit the form again, that is ideal.

Tom  2008-10-03 17:16:52
+7  A: 

Don't enforce anything ... if you are not protecting financial information or something equally important, then don't make the user choose a strong password.

I have the same weak password on a whole load of sites that require registration for forums, etc. I don't really care if someone guesses it and can post messages as me (and don't think there is much motivation for someone to do so). What I can't do is remember different strong passwords for a dozen sites and don't really want to use another piece of software to manage them for me.

The best compromise would be to show some kind of feedback to the user on how strong the password is (based on whether it is a dictionary word, number of different character types, length, etc).

Rob Walker  2008-10-03 17:17:08
@Rob Walker: The sad reality is that 1 user in 7 chooses their username as password. As soon as there is *anything* at stake on the site (even things of no monetary value), people *will* complain if their account gets hacked. Had this happen on a 100k user site. :-(
Sklivvz  2008-10-03 17:31:19
Hmm.. I just logged into Bank Of America using RobWalker:RobWalker. j/k of course. ;-)
Kip  2008-10-03 17:54:22
I like it when an application wants a password from me, and shows how strong it is with some bar/scale and a short textual representation (i.e. weak, average, strong, only breakable by secret service etc.). Encourages to use a strong password, even for an average user. Upvote.
OregonGhost  2008-10-03 19:24:59
+1  A: 

On letting passwords expire, there are two notable problems with the practice:

  • Users find it more difficult to remember their current passwords, and so they are more likely to do silly things like write them on a post-it stuck to their monitor.
  • Users don't generate a new, strong, unrelated password on each attempt. Most of the time they use some scheme to generate a password similar to their old one. Therefore, if an attacker gets an old password, it's still pretty easy for them to deduce a newer one.

EDIT: Which isn't to say I'm against the whole idea, but just that this needs to be considered along with other factors.

Adam Bellaire  2008-10-03 17:18:14
Don't backtrack, make a point and own it! For the record, I agree. If you're running a service that people are going to log into sporadically, then forcing them to change their password every time is just an unnecessary annoyance.
Dan  2008-10-04 03:25:33
+18  A: 

I don't think it's possible to enforce strong passwords, but there are lots of things you can do to encourage them as much as possible.

  • Rate each password and give the user feedback in the form of a score or a graphical bar, etc.
  • Set a minimum password score to weed out the awful ones
  • Have a list of common words that are either banned, or tank the password score

One excellent trick I like to use is to have the password's expiry date tied to the password score. So stronger passwords don't need to be changed so often. This works particularly well if you can give users direct feedback about how long the password they've chosen will live for (and dynamically update it so they can see how adding characters affects the date).

Dan  2008-10-03 17:19:16
Really like the trick!
Sklivvz  2008-10-03 17:32:27
That's a really great idea. Thanks for sharing.
Rich  2008-10-04 02:31:49
Thanks ;) It works best if you don't really need to enforce a password changing policy at all (so you can legitimately allow sufficiently strong passwords to never expire), just use it as a stick to give users some incentive to pick decent ones. With the right UI, it works really well!
Dan  2008-10-04 02:32:37
Of course you can enforce it. Users will just hate you for it. As they will if you force password expiry dates. It's hard enough to remember without that interference.
John  2010-01-26 08:51:27
+1 for clever trick
Faisal  2010-03-31 07:17:53
+2  A: 

Why enforce it?

I found that a "password strength meter" (a bar indicating password strength as you type) is usually a good non-intrusive measure. It makes those who care about security to have a guilty conscience about password weakness, yet does not frustrate those who do not care as much.

Also, there is an insightful essay on why periodic password change policy is a bad idea with today's threat model.

Alex B  2008-10-03 17:20:48
Thanks for the link! The "you must change passwords every X days" concept has proven exceptionally difficult to put down.
Dave Sherohman  2008-10-08 13:04:24
+1  A: 

It's been my experience that it depends really on the type of site, as you said.

If you are creating a bank or financial website then users typically understand if you have a more secure password, since their personal data may be at risk.

However for sites that typically don't contain a lot of personal information a simpler password will be fine. They may be less prone to hack attempts, and wouldn't get anything worthwhile anyway.

I've also found that most people also seem to have a couple passwords they use often. One being complex, and another being simple. So requesting they use a complex password usually won't keep people from registering.

I've never found expiring passwords to work successfully. As I said before, many people already have a set couple of passwords they use often, so asking them to go outside of this just for your site may make them not want to come back.

AaronS  2008-10-03 17:23:22
+1  A: 

There's an Ajax tool, PasswordStrength, that will give the user an idea if their password is any good. I like it because it doesn't have to prohibit the creation of a password.

http://www.asp.net/AJAX/AjaxControlToolkit/Samples/PasswordStrength/PasswordStrength.aspx

Dana  2008-10-03 17:51:54
A: 

I've never seen this done, but it seems like it would work wonderfully: the password creation page could have an expandable list of the,say, the 50 most common passwords, forcing the user to scroll down a bit before typing in their password. This, combined with Checkers' suggestion, would do much to prevent careless choices.

However, solving the problem of preventing password reuse... no clue.

pookleblinky  2008-10-04 17:37:20
+1  A: 

Incentivize! http://www.nakedpassword.com :)

Neil  2010-01-26 08:42:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security