Thinking of switching to Pass-Phrases

I’m debating whether I should require Pass-Phrases on my new website.

Currently a Password must be…

- 8 to 15 Characters
- At least one Uppercase
- At least one Lowercase
- At least one Number
- At least one Special Character

My concern is that if I make things to difficult for people, they simply won’t become Members?!

(Let’s face it, not long ago most users struggled coming up with simple 6-8 character alphanumeric Passwords!!)

Would it make sense to leave my Password requirements as-is, and then maybe do some articles and “member education” before then forcing people to create Pass-Phrases??

Also, is the question, “How difficult must the Pass-Phrases be?”

Some research shows that even Pass-Phrases aren’t all that secure.

http://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/

Ideally, I would like to require the following…

Pass-Phrases Requirements:

[COLOR="#FF0000"][b]- 15 to 40 Characters[/b]
- At least one Uppercase
- At least one Lowercase
- At least one Number
- At least one Special Character[/COLOR]

Is that asking too much for the average user??

If I am going to make the switch, I’d just assume do it now before I am done Testing my website. But as mentioned above, I’d hate to make things too technical and difficult and scare everyone away!!

Suggestions?

Debbie

DD,

You’re to be commended on the password requirements you’ve had as they make breaking the passwords (if not dictionary words used) nearly impossible.

Of course, increasing the length of the password (AND requiring the same mix of characters) will only strengthen the password but, IMHO, that’s not a realistic burden to put on casual users.

Please remember that Security is a trade-off between Risk, Cost and Convenience.

Many websites (and cPanel) use a combination script to evaluate password strength and/or generate a strong one at the push of a button. You may want to search for one of those as that would handle the Convenience very nicely, be of low (probably no) Cost and the strength would minimize Risk.

Regards,

DK

We made an algorithm that compare the password strength depending on what the user enter years ago, and at the start we used it to enforce that the accounts had a password at minimum “good” strength.

As you have noticed, this can turn off some users from creating an account/buying your product. After we just left the algorithm as a visual guide (javascript) showing color codes as the user enter their password, we saw an increase in the number of users completing the signup, and surprisingly just having the visual aid on the password strength was enough for most people to create a stronger password.

I noticed one of your password restrictions is that it need to be 8 to 15 characters. I would remove the max length as you dont care if the user enter a password that is eight characters or forty characters long, since the password is hashed before stored in the database the max length on the password does not matter.

A relevant webcomic on the subject: http://xkcd.com/936/

You could try what my bank does.

To log in to my banks internet banking you have a three step approach.

#1 - entering your 10 digit internet banking account number
#2 - enter three elements from your password, these are randomly requested
for example if your password is “aSecurePassword” and the log in system asks you to enter characters 2,6,13 you would then need to enter S,r & o
#3 - enter a reply to one of three questions that were set when you made the account
a) Your favorite Movie or TV program
b) Your favorite School Subject or Hobby
c) A place memorable to you

=====================================

On the surface that doesn’t look like much protection until you do the math, which I am not going to attempt to do because it is a seriously huge enormous number, possibly in the realms of a Google.

The problem is that this is not a really as “secure” as it might seem.

The only secure part of it is the password, and even that flawed since it means they store the passwords readable on their side (hopefully encrypted). In addition it forces you as a user, to start thinking since you need specific letters from the password text, and not the full thing.

On point three, you would be surprised how easy questions like that can be “broken” by a little social engineering, especially these days with all the online systems people use (facebook, linkedin, twitter etc).

It is very secure I can assure you because the hacker needs to know specific information about you, they would have to try and calculate a three (sepereate entries) of single letters each time you attempt a log in and you have another scenario of needing 1 of three randomly selected questions and answers.

So you have a 10 digit account number, thats 10^10 * 10^9 * 10^8 * 10^7 * 10^6 * 10^5 * 10^4 * 10^3 * 10^2 * 10^1 * 65^3 * 65^2 * 65^1 * 3^3 * 3^ 2 * 3^1 = 5.49804E+68 combinations or there about.

I am pretty sure that is a big enough number of combinations to secure an online bank account or any kind of passwording system. Sure all passwords are stored as a secure hashed code, what idiots would store passwords as items that can be decoded?

As for breaking the case with social engineering, that is a matter of stupidity on peoples part for putting their life on line, sure I have a Facebook Account but screw Zuccerberg, all my personal information is wrong, birthday, place I live, etc… what kind of moron tells someone who sells your personal data about yourself?

As for the questions, they are not “The Questions” they are an example to show how it works.

I agree that 8 to 15 characters is strong enough. If you really want to add more security I would add something like Google Authenticator (see http://blog.liip.ch/archive/2011/08/29/2-step-verification-with-google-authenticator-and-php.html) so that people get a code from their phone that changes every 30 seconds they need to fill in along with the username and password.

This is combination of something you know (i.e., your password), plus something you own (i.e., your phone), making it a very good security measure. Better than any password on its own, ever.

If someone tries to hack a bank account, or any system at all through the website login system, then it is due to they at least have partial information about the account.

There is no one who would try to brute force something unless you know you have at least one valid entity. I.e. username, bank account number etc. Else you just don’t know which one is throwing the failure.

If you stop for a second, and think about how you explained the password phrase work, you will see that there is no way it can be stored hashed, as that is a one way encryption. I.e. you would need to enter the entire password phrase each time, instead of a section of it.

The major issue with this one is that they protect the account with the “password phrase characters”, this is so your information is not captured and allowing someone else to login to your account. But the problem is that if someone is able to capture the information once, they just need to wait for you to access the bank account several times and the chance for them to be able to successfully login is quite large.

Today, there is trojan horses which help criminals to even do money transfers from banks which use RSA keys for protection, which is a much more delicate process, since the lifespan of the RSA keys.

Personally, I would not even use online banking unless they use a RSA key system, or at least onetime key based system (i.e. codes on a paper) which is applied both when you login, but also to approve every transaction.

This can be a good idea, assuming that your member group has access to a mobile phone that support the app. Though you can be using normal RSA key generators, they have actually became quite inexpensive the last few years.

Though, for a normal membership website, it might be overkill due to the extra steps the users need to take to login.

Also keep in mind, if the database is breached and they get the RSA ids (which is used to know what key is generated per user) then this security layer is broken, due to that its best to encrypt the id stored on the server side per user.

You forget that each character can be stored as a hash, so if your password is qazwer1234?p you have 12 characters that get encoded, the system knows that the characters sent via HTTPS are not coded until the server hashes each character and checks against the stored hash.

If you allow non standard characters like my bank does, you have 65 potential variances of upper and lower case and non standard characters.

The bank account number for online banking is not your account number, it is long enough to make the possible combinations too long to spend too much time, even if it is brute forced, the next problem to resolve is the 12 digit password that has 3 chosen characters at random and then one of three questions that are questions chosen by the user.

You also have to know where the person banks and overcome HTTPS which is encrypted in any case.

So if 5.49804E+68 combinations isn’t big enough, even at a rate of 10 tries per second,

we are talking about 1.74E+60 years to crack, sure that you would possible crack the combination earlier, this obviously assumes that you have to go through every combination to hack it and doesn’t take in to account randomness or someone keeping the details written down.

If the system was not secure, banks wouldn’t use it, apart from that theirs another element with telephone banking attached to the online element that requires an additional 4 digit pin to access the menu and then you need the online banking log in…

I am sorry, but you are coming at this from the wrong angle. You assume that someone would “brute force” your bank login, which no one would ever try to do.

By intercepting the data, by for example a targeted trojan which is the way bank accounts are “taken over” these days, the attacker will be able to get all of your information. So since there is no complete random item like a RSA key, as long as they monitor anyone using your bank long enough, they will gather enough information to have at high chance to get access to their account.

Keep in mind that this kind of fraud is today a billion dollar industry, and different criminal organizations got their own software development companies these days.

In regards to “if it was not secure, the banks would not use it” that is false by itself. In US several banks only require a username and password when you login, same in several east European countries (and possibly other places in the world). These banks would claim their login process is secure, but since they are not behind a large banking group they don’t have the resources to roll out proper and secure solutions to their customers. Please note, that for some countries this development is slow due to the Internet banking does not give you full control over your assets yet, so even if someone get access to the account, the damage that can be done is limited.