I agree that users do choose poor passwords. But even using an
extended character set you see them choose passwords like "T!mmy".
From a cracker's point of view there is little difference between
Timmy and T!mmy.
I definitely agree that long pass phrases are best all around - even
using words. Set the min length at 20 and let the user choose
whatever
they want.
I just brought up the point because I have seen more than one
website,
including my bank, that forces an extended char set but limits the
password length to a MAX of 8 characters. Yeesh.
Security in layers - everything is a compromise.
Shane Heasley
www.CTek-Media.com
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
Saxe
Sent: Monday, March 09, 2009 10:54 AM
To: [email protected]
Subject: Re: [ACFUG Discuss] Password CFinput regular expression -
throws alert/error after correction also
I'm not sure I totally agree with you.
Yes, the math is not good when you force character sets like this,
but
the reality is that users choose bad passwords.
http://www.schneier.com/essay-144.html
The enforcement of complex passwords improves overall complexity for
most users.
From the social engineering side, you are right, users may write down
their passwords. But you'd have to find the password to break in, as
opposed to guessing the password from a large, complex pool. So
its a
balancing act.
My suggestion is the use of passphrases such as "yellow polkadot
pancakes".
You trade length for complexity but increase the ability of
memorization.
If you then add in some kind of special characters or "leet speak"
the
passwords are extremely difficult to guess or break.
Finally, all of this is useless if you allow the passwords to be
recovered or you don't enforce server-side lockouts to slow/stop
brute
force attacks against passwords. There's a lot more to do than just
enforce good passwords if you want to have a secure authentication
system.
-dhs
Dean H. Saxe, CISSP, CEH
[email protected]
"What is objectionable, what is dangerous about extremists is not
that
they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Mar 9, 2009, at 11:46 AM, Shane wrote:
This is off topic - but I thought I would throw it in for free:
Forcing an extended character set (upper case, numbers, special
characters) on the user frequently does not lead to good security.
First, from the mathematical side, the length of the password has
much more bearing on how difficult it is to crack than the added
complexity
gained from using an extended character set. So sliggyfiverbotgar
is
much harder to crack than ^%tgYh. As a practical matter, passwords
longer than 10 characters are not generally breakable - even when
composed of mostly English words.
Each extra character adds so many permutations that you need to be
the NSA to brute force longer passwords.
On the social engineering side. If you force average users to use
an
extended character set they have a hard time remembering them.
If they can't easily remember them they write them down and all too
frequently post them next to their monitor. It's all a balancing
act
- and it varies by situation. I usually go for what you have -
minimum of 8 characters, with at least one number. Sometimes I
require mixed case also. I don't force special characters as that
tends to make too many users write down their passwords.
From: [email protected] [mailto:[email protected]] On Behalf Of Ajas
Mohammed
Sent: Monday, March 09, 2009 10:28 AM
To: [email protected]
Subject: [ACFUG Discuss] Password CFinput regular expression -
throws
alert/error after correction also
Hi there,
I have this code which checks if password is strong i.e. atleast 8
characters long, consiting of one Upper case and one Lower case and
one Number.and if not alerts the user about it. I am using a regular
expression to do this as u can see from code below. The problem is
that once the alert is displayed, even if the user corrects the
error
and enters a strong password, the error alert does not go away. For
example, if i entered password for the first time, then obviously I
will get alert saying password is not strong. Then, afterwards if i
correct password to be lets say Leave1234 which is 9 chars, has one
uppper case, one lower case and has a number also, I still end up
getting password not strong message. I tried removing
onBlur,OnSubmit
one at a time but doesnt work.
Any ideas????
Here is the code
New Password:
<!--- some possible regular expressions i used new_password --->
<!--- ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$ or --->
<cfinput type="password" name="new_password"
validate="regular_expression" pattern="^(?=.*\d)(?=.*[a-z])(?=.*[A-
Z]).{8,}$" validateat="onBlur,onSubmit,onServer" message="Your
password is not strong. Your password should be atleast 8 characters
long, consiting of one Upper case and one Lower case and one
Number."
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date:
03/08/09 17:17:00
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date:
03/08/09
17:17:00
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
