tags:

views:

122

answers:

3
+3  Q: 

Standardizing of password strength algorithm

Last couple of months I've been wondering about all these password strength meters on websites. If you use the same password in every of those registration forms, the result on meter is sometimes different. One say "Strong" other say "Normal" and there are probably some that would even say "Weak".

So the question is, what if there would be a standard, that would be used by programmers in their work, to make it a little bit less confusing and sometimes annoying?

And if you say yes and no, please give an argument or two.

Thanks!

P.S. Not sure if this have been discussed before, please be cool if this is a "repeat".

Edit

Looks like the question has been compromised. I wasn't thinking of starting a discussion about password strengths. To be honest, every password can be stolen, just need the proper tools.

It's not about security in one site or another. I haven't actually seen a bank website utilizing any kind of security measures, they do everything on their own to make it unique, probably.

Lets give it one more shot.. If there was a campaign, where programmers show their code for their method and others would have to vote, following some voting guidelines, like: you have to judge simplicity, compatibility and security.

Then, the winning method (voted by programmers) would be picked as "standard" method and popularized to be used in forms.

Do you see any use in that kind of method, and if you do, would you use it?

A: 

From Wikipedia:

The strength of a random password can be calculated by computing the information entropy. If each symbol in the password is produced independently, a password's information entropy is given by the formula:

alt text

where N is the number of possible symbols and L is the number of symbols in the password. The function log2 is the base-2 logarithm. H is measured in bits.

The calculation is detailed on the Wikipedia page.

fredley  2010-09-20 22:35:45
"If each symbol in the password is produced independently" - but, in practice, user-generated passwords aren't are they?
Rup  2010-09-20 22:50:11
"NIST suggests the following scheme to estimate password entropy: the entropy of the first character is four bits; the entropy of the next seven characters are two bits per character; the ninth through the twentieth character has 1.5 bits of entropy per character; characters 21 and above have one bit of entropy per character. This suggests that [...] an eight-character password has about 18 bits of entropy."
fredley  2010-09-20 22:52:58
So you're saying that this is the "current" standard which people are using?
Tom  2010-09-20 23:12:35
+3  A: 

Standardizing the strength of passwords using relative terms like "weak" and "strong" is kind of like standardizing the strength of a lock using similar terms. You can't measure "weak" or "strong"; what you can measure is how long it would take to break (similar to security ratings on physical locks/safes), acceptable tolerances of candidate keys (how close does a fingerprint, or key grinding, have to be to the original sample the lock was keyed to in order to work), etc.

Fredley's algorithm will give you a number. That number can be compared to any other, and much like any measurement you can quantify relative strength or weakness. As for defining standards like "X is weak", "Y is normal", I don't think you'll get all interested parties to agree, because the absolute strength of a key must always be taken in reference to the value of the resource it protects. You (or your daughter) wouldn't put her diary in a safe deposit box at the bank behind a vault door; an 80-cent toy lock would provide "strong" security against those she didn't want reading it (snot-nosed little or big brother, sleepover guests, etc). However, that 80-cent toy lock wouldn't last two seconds on the door of your safe deposit box, where the deed to your house, the title to your car, and your great-grandmother's one-off 25-carat diamond necklace are kept.

Similarly, the password (or more accurately the compound security measure) required for a bank website will be stronger than for an online forum because the resource it protects has more material value. The forum's just words (though there are some famous cases of Facebook hacking resulting in compromising photo leaks); if a hacker gets into your bank records, they can seriously ruin your life.

So, "MittensABC" would be an acceptable password for most forums because it's longer than 8 characters (26^8 = roughly 208 billion combinations of random letters) and contains uppercase and lowercase letters (the sample space required to "brute-force" this password would be 52^10 = 144 quadrillion possible combinations of 10-character case-sensitive strings). However, it would be totally inadequate for a bank: it is made up primarily of a dictionary word, and is different only because you added an easy-to-guess letter combination, so an "intelligent" cracking alg could reduce the initial sample space to the 100k or so words in modern usage, and append basic letter and number strings to come up with maybe a couple million possibilities (child's play for a computer to churn through). By the same token, many sites that offer access to very private information don't allow use of birthdays, SSNs, etc. in passwords, since if that information were stolen it could be given as hints to a cracking algorithm, further reducing the initial likely sample space.

In summary, what makes a "good" password depends on how likely a hacker/cracker will be to persist at trying to break that password. There are other useful tools like a 10-second cooldown between login attempts, or a certain number of attempts in a 15-minute period, which make it virtually impossible to leverage the speed of a computer, but an intelligent algorithm, a website vulnerability, or a dumb user can all increase the chances of a successful hack.

KeithS  2010-09-20 23:16:02
Note that banks get away with 4- or 5-digit passwords (at least mine does) since they lock your account after three tries. What's be most secure, actually, would be to now allow users to choose their own passwords. Since you can then use the complete range of possible words instead of arbitrarily restricting them (I once had to implement a policy that had a lot of idiotic restrictions that brought down the number of possible passwords considerably) you don't have to try giving users hints about how easy they can get their accounts stolen ;-)
Joey  2010-09-20 23:34:04
I'm actually thinking of more a standardized method to be used, so people are not ending up confused, that Hotmail said their password is strong, but Google said it's weak. About your "X" and "Y", it would be awesome if there would be constant values for those, which then would be used worldwide and people would know when their password is safe and when it is not. *method actually could be extended* And by the way, this is just an example of what I've thought about.
Tom  2010-09-21 00:05:35
@Joey; those are PINs in most cases, and yes they require a limited number of tries. BofA's website password requires 8 or more chars, and at least one upper, lower, and number, just for "normal" strength. A symbol immediately makes it "strong" but obviously they restrict the allowable symbols to dashes, underscores and a couple others to prevent injection attacks. @Tom: My whole point was that there CAN'T be a constant value for X and Y because how strong a password is depends on many factors, including the value of what it protects and other security measures in place.
KeithS  2010-09-21 00:19:01
But with a very good formula calculating the results, there is a chance that people would start to think of a stronger passwords in every site. And strong password everywhere isn't that bad at all. *only my opinion*
Tom  2010-09-21 00:24:38
Keith: My online banking uses a 5-digit password; it's not the same as the PIN for my debit card. Might still be idiocy or not bothering for anything stronger on their behalf.
Joey  2010-09-21 09:26:11
+1  A: 

Do you want a theoretical answer to measure the strength or some practical implementation that's more-or-less a de-facto standard?

If it's the latter, there are some good links from this old question

and some jQuery plugins that are probably de-facto standards, e.g.

because they're available and easy to drop in, even if there isn't any cited research behind the strength algorithms. The obvious omission with these is a dictionary check to make sure you haven't used something from or simply based on a dictionary word, which may well require a server-side implementation to do well. (Which is OK, I guess, since you're ultimately sending the password you compose to the same server.)

Rup  2010-09-20 23:16:53

related questions

Infopath 2007 - Emailed forms not rendering correctly
What can prevent an MS Access 2000 form from closing?
Form library
Trigger update on DataTable bound to DataGridView
What's a clean/simple way to ensure the security of a page?
How to best merge information, at a server, into a "form", a PDF being generated as the final output
In HTML, what should happen to a selected, disabled option element?
What's the state of play with "Visual Inheritance"
ASP.NET MVC Preview 4 - Stop Url.RouteUrl() etc. using existing parameters
HTTP POST question - I'm stuck
InfoPath 2003 and the xs:any type
Retrieving HTTP status code from loaded iframe with Javascript
Data model for a extensible web form
.Net Compact Framework scrollbars - horizontal always show when vertical shows
MVC - where to implement form validation (server-side)?
Offline forms
MVC .Net - The best way to write a form?
Windows Forms Threading and Events - ListBox updates promptly but progressbar experiences huge delay
What is the best way to upload a file via an HTTP POST with a web form?
Delphi MDI Application and the titlebar of the MDI Children
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How Do I Post and then redirect to an external URL from ASP.Net?
Is a "Confirm Email" input good practice when user changes email address?
WinForms ComboBox data binding gotcha
How do I access a remote form in php?