tag:blogger.com,1999:blog-13756280.post7966328526899319845..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: All about Website Password PoliciesJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-13756280.post-39779624351749164812012-09-23T03:49:45.404-07:002012-09-23T03:49:45.404-07:00@Jeremiah, Stephen Wehner is talking about the sec...@Jeremiah, Stephen Wehner is talking about the section of the Purdue page that begins <i>"Now, looking back over those, periodic password changing really only reduces the threats posed by guessing, and by weak cracking attempts. If any of the other attack methods succeed, the password needs to be changed immediately to be protected—a periodic change is likely to be too late to effectively protect the target system. "</i><br /><br />The basic argument is that password change policies help, but in the same way that driving with a pillow under your shirt helps in a car crash... it's marginally safer, but distracts you from more effective measures (seatbelts, airbags, defensive driving / password complexity, bruit force mitigation, intrusion detection).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51017454583439301692012-08-22T18:40:32.560-07:002012-08-22T18:40:32.560-07:00Server side: bcrypt
If your database is compromis...Server side: bcrypt<br /><br />If your database is compromised, a salt won't do anything for you. It might take the hacker a few extra hours to crack the system.<br /><br />Sha1 -> libraries exist of the hashes, you just search for the hash on google and you can find what it means<br />Sha1 + salt -> not much better. It just takes a lot of generating random strings into a library of hashes. Once you have the library, you can search the DB has vs the library.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-86946254724013272242011-12-09T00:15:51.387-08:002011-12-09T00:15:51.387-08:00Jeremiah,
Regarding this passage:
"It’s bet...Jeremiah,<br /><br />Regarding this passage:<br /><br /><i>"It’s better to let the user choose their password length, then chop the end to a reasonable size when it’s used or stored. This ensures both password strength and a pleasant user experience."</i><br /><br />Pleasant experience? This is not necessarily so, and I have personal experience to back it up. While in college, I had to come up with a password for an ATM card. The password was 8 characters long (out of a maximum 10, I think), and I wrote it down on the bank's form.<br /><br />Over the next five years, the local banks in the area merged and/or got acquired. In my last year in college, I found that my ATM password didn't work anymore after exceeding the proverbial three tries.<br /><br />I went to a branch to get help. The restriction was lifted (so that my old password was still valid) and yet it didn't work.<br /><br />Nobody could figure out what was going on until someone noticed that I appeared to be punching "too many characters" for my password: the last bank that got acquired (but not my original bank by far) truncated passwords until the 6th place. The new acquiring bank didn't have such a restriction. In essence, over the years my 8-character password had been changed to a 6-character password. I typed my password up to the 6-th place and, voila, it worked.<br /><br />I lucked out because the person who noticed I had "too many characters" was one of a handful of old bank staff members remaining after the acquisition.<br /><br />(As to why they didn't clue on to this before, apparently most people created passwords with the minimum, 4-characters, and the issue didn't come up).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-55355754904833066592009-10-31T11:42:05.435-07:002009-10-31T11:42:05.435-07:00Jeremiah, as always, an interesting read. I would ...Jeremiah, as always, an interesting read. I would like to get your opinion on length and complexity - a 16 character 'lowercase only' password has about 10 million times more possible values than an 8 character long one forced to contain characters from all 95 symbols on the keyboard. This is more secure not only because is easier to remember, but also most password crackers will not try to guess 16 character-long passwords. Allow me to disagree on password strength-meters - they are harmful. Essentially, the strength meter lets the end user choose the lowest security password that it would accept. 'AAAaaa111!!!' will score as 'Strongest' and ‘ilikereadingblogs’ will score as 'Weak' on most of them. (If interested, more can be found on my company’s blog: <a href="http://blog.intralinks.com/blog/2009/10/01/science-creating-strong-passwords" rel="nofollow">here</a>).Mushegh Hakhinianhttps://www.blogger.com/profile/16059285530079050236noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81829980650705041482009-10-31T11:41:06.329-07:002009-10-31T11:41:06.329-07:00Jeremiah, as always, an interesting read. I would ...Jeremiah, as always, an interesting read. I would like to get your opinion on length and complexity - a 16 character 'lowercase only' password has about 10 million times more possible values than an 8 character long one forced to contain characters from all 95 symbols on the keyboard. This is more secure not only because is easier to remember, but also most password crackers will not try to guess 16 character-long passwords. Allow me to disagree on password strength-meters - they are harmful. Essentially, the strength meter lets the end user choose the lowest security password that it would accept. 'AAAaaa111!!!' will score as 'Strongest' and ‘ilikereadingblogs’ will score as 'Weak' on most of them. (If interested, more can be found on my company’s blog: <a href="http://blog.intralinks.com/blog/2009/10/01/science-creating-strong-passwords" rel="nofollow">here</a>).Mushegh Hakhinianhttps://www.blogger.com/profile/16059285530079050236noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16592208897443319782009-10-29T09:47:23.364-07:002009-10-29T09:47:23.364-07:00@Anonymous 6-8 characters in length as a minimum i...@Anonymous 6-8 characters in length as a minimum is good, but as the articles says, heavily dependent upon character-set and number of attempt restrictions. And I'd find nothing wrong with posting of a password policy, provided it is a relatively good one. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82917297105667794352009-10-29T02:21:16.163-07:002009-10-29T02:21:16.163-07:00Could you recommend or provide some freely availab...Could you recommend or provide some freely available JavaScript libraries that developers may use to implement the feature to avoid or better not to allow simple passwords. Thanks in advance.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56422599766935640472009-10-28T17:45:16.932-07:002009-10-28T17:45:16.932-07:00Jeremiah, what are you thoughts on the max passwo...Jeremiah, what are you thoughts on the max password length allowed on an ordering site? What's the best practice length? <br /><br />Also, do you see any implication on publishing password policy, including the max password length allowed, on your website? I went to various sites such as amazon and ebay and realised that max password length is not stated any where on the sites, and trying to understand whether there is a reasoning behind it.<br /><br />Insights will be appreciated.<br /><br />Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-70063485449668260832009-10-25T01:37:29.286-07:002009-10-25T01:37:29.286-07:00An other awesome article, thank you for sharing it...An other awesome article, thank you for sharing it with usAnonymoushttp://play2winok.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24445933634116972422009-10-09T02:29:30.213-07:002009-10-09T02:29:30.213-07:00In most cases you should inform users in text what...In most cases you should inform users in text what the policy length and character requirements are, and some advice on avoiding re-using, sharing or having simple passwords. Some people advise against stating these policy aspects, but you can usually infer them from things like strength testers, so unless it's a super-critical application (where you aren't just relying on passwords for authentication?), it doesn't really alter the ability of an attacker to work it out.Clerkendwellerhttp://www.clerkendweller.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9750297165247620182009-10-08T14:11:27.505-07:002009-10-08T14:11:27.505-07:00Restricting the length of a password is a techniqu...Restricting the length of a password is a technique that should only be used with great care. Simply truncating a password could lead to a dramatically weaker password. Consider, for example, a user who uses a passphrase of 'daffodilsaremyfavoriteflowers'. It would take a brute force attacker a pretty long time to break that even without the use of numbers or special characters. However, if the phrase is truncated to 8 characters 'daffodil' then it is immediately vulnerable to a simple dictionary attack. Personally I would be rather unhappy to discover that my own carefully chosen passwords were silently weakened by the sites I log in to.Richard Wang - SophosLabshttp://www.sophos.com/blogs/sophoslabsnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42755749481249182082009-10-08T10:58:19.118-07:002009-10-08T10:58:19.118-07:00@Mark taken from...
http://jeremiahgrossman.blogs...@Mark taken from...<br /><br />http://jeremiahgrossman.blogspot.com/2006/09/5-more-security-tips-for-power-users.html<br /><br />"Damn those secrets questions!<br />Everyone eventually forgets a password and needs to regain access to their account. Most password recovery methods are fairly straightforward providing a few different options to verify your identity. The one method that really drives me crazy is the “clever” secret question and answers. There is no friggin’ way I’m giving any website the name of my 3rd grade kindergarten teacher, dog, or high school and certainly not my favorite color. If a breach was to occur, and they do all the time, then I’ve just lost MORE personal information. To circumvent this non-sense, I’ve begun treating secret QnA’s like username/password pairs. Imagine the surprise of the customer support person when I tell them the name of my dog is ji*P5c$r."Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78074254555641707882009-10-08T08:54:10.110-07:002009-10-08T08:54:10.110-07:00On a rapidly growing number of sites, I'm gett...On a rapidly growing number of sites, I'm getting forced to create "security questions" that seems to be intended to increase the level of security. I'm curious on your take on this practice. I have to say as a user, I hate it because the questions are usually limited to those created by the site and involve information that's often possible to get from public records...like Mother's Maiden name . What I've taken to doing for sensitive sites is creating fake answers to these questions and trying to remember the fake answers...which is pretty hard to do.Unknownhttps://www.blogger.com/profile/07993420631535397739noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82248007918053341592009-10-08T07:33:41.918-07:002009-10-08T07:33:41.918-07:00@ Michael Janke: Bruce Schneier explains this eleg...@ Michael Janke: Bruce Schneier explains this elegantly in "Applied Cryptography":<br /><br />"To make dictionary attacks less effective, each password, upon initial entry, may be augmented with a t-bit random string called a salt (it alters the “flavor” of the password) before applying the one-way function. Both the hashed password and the salt are recorded in the password file. When the user subsequently enters a password, the system looks up the salt, and applies the one-way function to the entered password, as altered or augmented by the salt. The difficulty of exhaustive search on any particular user’s password is unchanged by salting (since the salt is given in cleartext in the password file); however, salting increases the complexity of a dictionary attack against a large set of passwords simultaneously, by requiring the dictionary to contain 2^t variations of each trial password, implying a larger memory requirement for storing an encrypted dictionary, and correspondingly more time for its preparation. Note that with salting, two users who choose the same password have different entries in the system password file. In some systems, it may be appropriate to use an entity’s userid itself as salt."Paul van Woudenberghttps://www.blogger.com/profile/10986606192651621415noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89398254927895493412009-10-08T05:07:22.858-07:002009-10-08T05:07:22.858-07:00If the salts are random, how do you re-associate t...If the salts are random, how do you re-associate the salt that you used for a particular password? It seems like you'd have to store it somewhere, and as soon as you do that, you've degraded it's value.Michael Jankehttps://www.blogger.com/profile/00357905802460949707noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51306138387150536112009-10-08T00:23:21.691-07:002009-10-08T00:23:21.691-07:00Don't forget about the new logins most sites a...Don't forget about the new logins most sites are using to thwart locally based attacks on networks to 'sniff' the network for logins via HTTP to send them to the bad guys. It was quite silent but the major players (Hotmail, Yahoo, Gmail, Facebook, Myspace, etc...) have been using an AJAX based login for little while to thwart even man-in-the-middle-attacks by asynchronously passing the information through one or several different HTTPS servers with their own SSL certificates that no freely available tool has yet been able to produce a viable way to extract login data from. Interesting huh? <br />*waits for someone to develop an AJAX sniffer*JibbaJabberhttp://blog.dudael.netnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74927304136807663012009-10-07T17:22:13.540-07:002009-10-07T17:22:13.540-07:00@Stephan - Thanks for the comment and the link, a ...@Stephan - Thanks for the comment and the link, a thought provoking read. Unless there is a particular section to which you could refer me, I must stand by my original quote you cited as technically sound. <br /><br />As something else to consider, Web users tend to use the same password across multiple systems. Should one system be compromised and passwords lost, the users accounts across the other systems become at risk. Password aging helps negate that particular threat to at least some degree.<br /><br />Another problem is users who share their passwords with "trusted" others, who may save them or share them on at a later time. This risk builds up, and again, password again helps. <br /><br />I agree that too frequent password aging i annoying and arguably of marginal value, but maintain that some worthwhile value can be gained even if only annually enforced.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77172239166543071222009-10-07T16:04:09.446-07:002009-10-07T16:04:09.446-07:00You wrote, "Passwords should be periodically ...You wrote, "Passwords should be periodically changed because the longer they are around, the more likely they are to be guessed."<br /><br />I thought this was not necessarily helpful. See also the discussion at<br /><br />http://www.cerias.purdue.edu/site/blog/post/password-change-myths/<br /><br />StephanStephan Wehnerhttp://stephan.sugarmotor.orgnoreply@blogger.com