ansaurus

Question

Answer 1

+11 A:

I must say I think this is a bad idea... If you want them to be strong, come up with better requirements.. must be at least 8 characters, contain upper AND lowercase letters, contain at least one number, and at least one special character. Implement a maximum authorization failure counter before disabling an account. Once that's done, what are you worried about?

Fosco 2010-07-09 17:51:53

+1 for better direction, more relevant security principles.

andyortlieb 2010-07-09 17:54:54

Have to say, I agree :) "De-1337-ifying" is not trivial at all. A quick example would be that '4' == 'a' in 1337, soo, do you want to disallow all 4's?

cwap 2010-07-09 17:55:14

I think the op wants to prevent passwords like "l33t haxx0r", which is pretty trivial and probably rather common. It has 8 characters, at least one number, and a special character, but is not secure.

Stephen Cleary 2010-07-09 17:58:36

@Stephen even then the OPs question wants to de1337ify that... and they would get something like "leet haxxor" or "elite hacker" depending on what rules they follow, they would be better off adding "l33t haxx0r" to the dictionary of bad passwords.

Shaded 2010-07-09 18:03:13

@Stephen Cleary then a better idea might be to add common l33t-speak phrases like 1337, h4x0r, etc. to the dictionary and don't allow passwords to contain substrings of those words.

Jonathon 2010-07-09 18:05:17

I don't think the OP is only interested in common 1337 wordings, like h4x0r etc., but also the usage of 1337 in a password to conform to his rules. For example, if I normally use "escobar" as my password, then he won't allow "esc0b4r" -- Well, at least that's how I interpret his problem description :)

cwap 2010-07-09 18:10:20

@Jonathon: I agree with you. I was just pointing out that this answer doesn't really address the OP's problem - he is already planning on defining strong password requirements.

Stephen Cleary 2010-07-09 18:16:03

Well, just like trying to help someone in the "business" when you're in "IT," sometimes you have to explain that what they are asking for isn't really what they want.

Fosco 2010-07-09 18:31:34

Thanks all. Many of these suggestions are already in-effect in the system, I didn't mention them because they weren't terribly relevant to the question. I have a complexity measure in in terms of bits of entropy as per the NIST publication on the subject. passwords must be at least equivalent to 56 bits (configurable by policy). But a dictionary check is an important suplement to that. "P@s5W0rd" may pass simple regex checks, and even look like good entropy, but it is not a good password because it is a dictionary word that has been leeted which adds trivial overhead to a dicitonary attack.

DanO 2010-07-09 18:55:01

@DanO: Why would you be vulnerable to a dictionary attack?

Fosco 2010-07-09 19:05:56

Hopefully we are not. There is a principle in security known as defense in-depth. Even though we lock-out after say 5 failed attempts, and take other precations is is best to have multiple layers of defense rather than relying on any one layer... strong as it may be.

DanO 2010-07-09 19:19:47

If the unthinkable happend and someone obtained our hashed passwords from the database, they could easily run a 10,000 word dictionary against those hashed for matches. They only need one user to have used a dictionary word. Add-in simple leetification (the way many user add required symbols) and the attacker could add 5 leet variations to each dictionary word and still only be at 50,000 hashes they need to perform. That is only equivalent to an 8-bit key

DanO 2010-07-09 19:50:25

@DanO I hear you and I'm not trying to be difficult.. I added some code in another answer. I feel like I have to be snarky though and mention that if someone obtains your hashed passwords, leet speak is the least of your problems :)

Fosco 2010-07-09 19:58:26

@DanO 50,000 possibilities would be about a 16-bit key not 8-bit. Oops.

DanO 2010-07-09 20:17:14

Answer 2

+4 A:

Also offering some code::

        String password  = @"\/\/4573Fu|_";
        Dictionary<string, string> leetRules = new Dictionary<string, string>();

        leetRules.Add("4", "A");
        leetRules.Add(@"/\", "A");
        leetRules.Add("@", "A");
        leetRules.Add("^", "A");

        leetRules.Add("13", "B");
        leetRules.Add("/3", "B");
        leetRules.Add("|3", "B");
        leetRules.Add("8", "B");

        leetRules.Add("><", "X");

        leetRules.Add("<", "C");
        leetRules.Add("(", "C");

        leetRules.Add("|)", "D");
        leetRules.Add("|>", "D");

        leetRules.Add("3", "E");

        leetRules.Add("6", "G");

        leetRules.Add("/-/", "H");
        leetRules.Add("[-]", "H");
        leetRules.Add("]-[", "H");

        leetRules.Add("!", "I");

        leetRules.Add("|_", "L");

        leetRules.Add("_/", "J");
        leetRules.Add("_|", "J");

        leetRules.Add("1", "L");

        leetRules.Add("0", "O");

        leetRules.Add("5", "S");

        leetRules.Add("7", "T");

        leetRules.Add(@"\/\/", "W");
        leetRules.Add(@"\/", "V");

        leetRules.Add("2", "Z");

        foreach (KeyValuePair<string,string> x in leetRules)
        {
            password = password.Replace(x.Key, x.Value);
        }

        MessageBox.Show(password.ToUpper());

Fosco 2010-07-09 19:44:36

I think a map leet=>unleet would be better, as you wouldn't have to type leetRules.Add for every pair.

tstenner 2010-07-09 19:52:06

Thanks, that is perfect. Extensible, simple. These substitutions could be in a file to make it even more extensible. The suffixes like -xor and -zorz could just be removed. Is there no more to leet than just this substitution cipher? Wasteful? Interesting choice of password.

DanO 2010-07-09 20:01:43

I though there might be more grammar involved with leet than just substitution. Dealing with grammars was one part of CS I didn't care for.

DanO 2010-07-09 20:03:22

As far as building on this to support grammar and additional replacements, the function would likely never return just 1 result from an inbound password. If you want to be returned an array of every possible replacement (i.e. h4ck = hack, hax, haxx) then I could assist in expanding it. As it is now, I ordered some replacements specifically to not mess up replacements taking place later.

Fosco 2010-07-09 20:12:32

Answer 3

+1 A:

Why don't you just implement a function to just create "pronounceable" passwords and require users to use them? It seems like much less work and better security.

Jay 2010-07-09 21:26:18

This is good suggestion, and an interesting idea, as user generated passwords do have inherent problems most of the time. In this case though, users need to be able to choose their own password, and we just have to make sure it is strong enough. That is a great idea to offer if they want help coming up with a password.

DanO 2010-07-09 22:40:59

ansaurus

tags:

views:

answers:

Convert leet-speak to plaintext.

related questions