B4J Question Defining Password Strength algorthms

[Cableguy]

Hi Guys...

Password Strength has become a very serious subject in Server's world, and there seems to be NO CONSENSUS about what defines the strength of a password...

So, some take a 'probability count' approach to define the PWD Strength, others just make sure that the PWD contains a minimum amount of characters, being them alphanumeric, Upper and Lower cased and with symbols...

I found a "code snippet" that I was thinking of adapting to my needs, but readding on, I found the comments on the bottom to be very elucidative, thus making me even more confuse about the way to go!

Anyone wants to share insights?

Here's the code I was about to adapt... (PS, I found other snippets, but it was that comment that made me create this post)

http://codereview.stackexchange.com/questions/40944/verifying-password-strength-using-javascript

 

[mindful]

Hi @Cableguy you could use the snippet from https://www.b4x.com/android/forum/threads/password-validation-using-regex.72351/ and create your own "measure" of a password strenght... it validates using regex so you can add/modify each evaluation string

 

[udg]

Hi,
I read the comment following the code and I agree on the need to better structure the password's strength evaluation method.
Since it's easy to find on the Internet sites where collections of pre-decrypted passwords are made available, I think that your evaluation scale should take in account that dictionary-style attack possibility as a base reference.
So, mixing alphabet case chars, adding numbers and special chars should be only slightly better than not doing so, but if the mix results in a common word (in any language vocabulary) than its overall score should not be high.
Let's make an example with password "common":
common: 0 points
Common: 0-1 point
C0mm0n*: 1-2 points
C0mM0n*: same as above
They all will be cracked too easily and in no time.

I see as a better approach (so higher scores) a mix of password length (not less than 8 chars, 10 is better) and mispelled word (chomon is better then common, especially if chomon is not a word in any language other than English).

Another good option would be to use a passphrase instead of a password. This will be easier to recall for the average user and will surely be long enough to resist dictionary-based and brute-force attacks. And, additionally, if they mispell one or two words in the phrase..

Ok, that's for the user. Now for us. Since we will have to store passwords in their hashed form, there's no difference from our point of view between a password and a passphrase, so why not go with the latter?

udg

 

[inakigarm]

Don't forget to apply control policies like captcha and time out delay between password retries ( for ex 1 min after three password negatives temptatives).
Maybe also you'll want to check antiDoS policies

 

[alwaysbusy]

I was a bit intrigued by this topic so I looked around what was available. I came across zxcvbn which is used by DropBox:

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.


Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

• More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
• More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
• More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords.

So I wrote a little library that wraps a java implementation.

Usage (ToString is to visualize, you can use properties to get the real values):

Dim pwdCalc As ABZXCVBN 'ignore
Dim strength As ABZStrength
   
Log(pwdCalc.measure("Alain").ToString)     
Log(pwdCalc.measure("Alain2017").ToString)   
Log(pwdCalc.measure("A#(}%Abgf'µLongTry!2017Score4").ToString)   
   
Log(pwdCalc.measure("common").ToString)     
Log(pwdCalc.measure("Common").ToString)     
Log(pwdCalc.measure("C0mm0n*").ToString)     
Log(pwdCalc.measure("C0mM0n*").ToString)

Result:

Password: Alain
Score: 1
Guesses: 11867.0
GuessesLog10: 4.074340942365077
CrackTimeSeconds:
  OnlineThrottling100perHour: 427212.0
  OnlineNoThrottling10perSecond: 1186.7
  OfflineSlowHashing1e4perSecond: 1.1867
  OfflineFastHashing1e10PerSecond: 1.1867E-6
CrackTimesDisplay:
  OnlineThrottling100perHour: 5 days
  OnlineNoThrottling10perSecond: 20 minutes
  OfflineSlowHashing1e4perSecond: 1 seconds
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning: This is a very common password.
  Suggestions:
  Add another word or two. Uncommon words are better.
  Capitalization doesn't help very much.
------------------------------------------------------------
Password: Alain2017
Score: 2
Guesses: 1196600.0
GuessesLog10: 6.077948998506027
CrackTimeSeconds:
  OnlineThrottling100perHour: 4.30776E7
  OnlineNoThrottling10perSecond: 119660.0
  OfflineSlowHashing1e4perSecond: 119.66
  OfflineFastHashing1e10PerSecond: 1.1966E-4
CrackTimesDisplay:
  OnlineThrottling100perHour: 1 year
  OnlineNoThrottling10perSecond: 1 day
  OfflineSlowHashing1e4perSecond: 2 minutes
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning:
  Suggestions:
  Add another word or two. Uncommon words are better.
  Capitalization doesn't help very much.
------------------------------------------------------------
Password: A#(}%Abgf'µLongTry!2017Score4
Score: 4
Guesses: 1.03650724E26
GuessesLog10: 26.015572339986143
CrackTimeSeconds:
  OnlineThrottling100perHour: 3.731426064E27
  OnlineNoThrottling10perSecond: 1.03650724E25
  OfflineSlowHashing1e4perSecond: 1.0365072399999999E22
  OfflineFastHashing1e10PerSecond: 1.03650724E16
CrackTimesDisplay:
  OnlineThrottling100perHour: centuries
  OnlineNoThrottling10perSecond: centuries
  OfflineSlowHashing1e4perSecond: centuries
  OfflineFastHashing1e10PerSecond: centuries
Feedback:
  Warning:
  Suggestions:
------------------------------------------------------------
Password: common
Score: 0
Guesses: 344.0
GuessesLog10: 2.53655844257153
CrackTimeSeconds:
  OnlineThrottling100perHour: 12384.0
  OnlineNoThrottling10perSecond: 34.4
  OfflineSlowHashing1e4perSecond: 0.0344
  OfflineFastHashing1e10PerSecond: 3.44E-8
CrackTimesDisplay:
  OnlineThrottling100perHour: 3 hours
  OnlineNoThrottling10perSecond: 34 seconds
  OfflineSlowHashing1e4perSecond: less than a second
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning: A word by itself is easy to guess.
  Suggestions:
  Add another word or two. Uncommon words are better.
------------------------------------------------------------
Password: Common
Score: 0
Guesses: 687.0
GuessesLog10: 2.83695673705955
CrackTimeSeconds:
  OnlineThrottling100perHour: 24732.0
  OnlineNoThrottling10perSecond: 68.7
  OfflineSlowHashing1e4perSecond: 0.0687
  OfflineFastHashing1e10PerSecond: 6.87E-8
CrackTimesDisplay:
  OnlineThrottling100perHour: 7 hours
  OnlineNoThrottling10perSecond: 1 minutes
  OfflineSlowHashing1e4perSecond: less than a second
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning: A word by itself is easy to guess.
  Suggestions:
  Add another word or two. Uncommon words are better.
  Capitalization doesn't help very much.
------------------------------------------------------------
Password: C0mm0n*
Score: 1
Guesses: 40184.0
GuessesLog10: 4.604053165151493
CrackTimeSeconds:
  OnlineThrottling100perHour: 1446624.0
  OnlineNoThrottling10perSecond: 4018.4
  OfflineSlowHashing1e4perSecond: 4.0184
  OfflineFastHashing1e10PerSecond: 4.0184E-6
CrackTimesDisplay:
  OnlineThrottling100perHour: 17 days
  OnlineNoThrottling10perSecond: 1 hours
  OfflineSlowHashing1e4perSecond: 4 seconds
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning:
  Suggestions:
  Add another word or two. Uncommon words are better.
  Capitalization doesn't help very much.
  Predictable substitutions like '@' instead of 'a' don't help very much.
------------------------------------------------------------
Password: C0mM0n*
Score: 1
Guesses: 160920.0
GuessesLog10: 5.2066100238992234
CrackTimeSeconds:
  OnlineThrottling100perHour: 5793120.0
  OnlineNoThrottling10perSecond: 16092.0
  OfflineSlowHashing1e4perSecond: 16.092
  OfflineFastHashing1e10PerSecond: 1.6092E-5
CrackTimesDisplay:
  OnlineThrottling100perHour: 2 months
  OnlineNoThrottling10perSecond: 4 hours
  OfflineSlowHashing1e4perSecond: 16 seconds
  OfflineFastHashing1e10PerSecond: less than a second
Feedback:
  Warning:
  Suggestions:
  Add another word or two. Uncommon words are better.
  Predictable substitutions like '@' instead of 'a' don't help very much.
------------------------------------------------------------

The source code is also available for those who want to play with it some more (mail me, it is to big to upload).

Cheers,

Alain

 

[jmon]

wrote

Great, you should add a link to this thread in the b4j libraries section!
Thanks a lot for taking the time to wrap it

 

[alwaysbusy]

@jmon good idea, done!

 

[Cableguy]

This thread took its time to get the attention I was looking for, and all of the sudden, it has even surpassed my expectations!

I thank you all for your input!
@alwaysbusy , I did come across the zxcvbn page and liked what I read, but it was wayyyyyy over me abilities to something with it. So I also thank you, personally, for taking your time to wrap this one for us!