Password Security

	Print
	Email

Submitted on: 6/29/2002 5:00:50 PM
By: Lewis Moten
Level: Intermediate
User Rating:

By 14 Users
Compatibility:JavaScript

Users have accessed this article 5712 times.

(About the author)

Parses the password field and comes back with a percentage of how secure your password is against a hack attempt.

This article has accompanying files

Terms of Agreement:
By using this article, you agree to the following terms...
1) You may use this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
2) You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
3) You may link to this article from another website, but ONLY if it is not wrapped in a frame.
4) You will abide by any additional copyright restrictions which the author may have placed in the article or article's description.

Password Security

Many of you have encountered the dreadful rules placed on password security. Some sites just go too far with constraints. Take this one for example:

Letters and numbers only
Nothing may repeat
8 characters minimum
1 number minimum

Although there are some tough constraints here, some extra security preventions are not allowed. Also, the 8 character minimum constraint makes this especially harder. Most people keep with a common set of passwords … or “keys”. Upon further investigation, many of these keys are similar – such as changing a number, adding an extra word to the original password, and so on. When a user is not allowed to use one of there keys, or craft one that is similar, then a little anger begins to stew. You may have seen the type emails my clients had received in the past from individuals in this predicament.

My approach to the situation is to allow the user to enter their password, but also be able to see how it holds up. I can adjust the percentage of security must be met. Chances are, your visitors may even know that it isn’t all that great and are not worried about security – but on the ability to login alone.

The system that I have created gives a rating from 0 to 100 percent. I recommend requiring users to obtain at least 50% if you are concerned with accounts being hacked by brute-force and dictionary attacks.

The system is simple. Each rule gets a maximum of 20% of the overall score. Here are the rules:

The length of the password should be around 8 characters or more. Password gets 2.5% for each character.
Numbers should be present in the password. 2 recommended, 3 for best results. Each number gets 6.67%
There should be at least 8 characters that do not repeat next to each other. 2.86% for each letter.
User should use mixed case. 2 pairs minimum gets 10% for each pair.
2 Special characters should be present – getting 10% for each character.

As far as the length goes, 8 characters are recommended at most sites. However, this was a common constraint created back in the days of bulletin board systems and is out dated. This alone cannot prevent attacks. However, it appears that as you add more characters, your security is greatly increased. I choose to cap this at eight. You can cap it off at a greater number of characters by lowering the percentage assigned for each character.

Numbers … This is a bit of a problem. Many users – when required to use numbers, will place them at the end of the password, in the middle of a compound word, or at the beginning. This script does not handle this, but it is a concern. The next level of a dictionary attack would be to append numbers at the end of each word. I request 3 numbers (20 / 3 = 6.7%) as to keep people on their toes if they want to increase security to the max.

The number of characters repeating is at eight. I divide by seven because the seventh character checks against the eighth. A lot of sites that don’t like repeating characters will not even let one character to repeat. I believe this is the equivalent of sticking your nose in the air away from your visitors. To think that this hinders security is bad. This rule was originally meant to thwart the famous “AAAAAAAA” passwords that people tend to submit just to ignore the whole theory of protecting your account. Imaging being denied to use these passwords “7ddT82-?!!”, “U[]}}opW#”. Experts would tell you the passwords would appear cryptic and hard to crack, however – you would have some sites telling you they are easily cracked just for the fact that one character repeats after another.

A fair amount of mixed case is recommended. Most users would type all in lower-case letters. Those that would use uppercase usually capitalize the first letter. Those who have compound words (such as doghouse) may also capitalize the first letter of the second word (House). Although it may prove beneficial to check for these specific variations, most web browsers lack a dictionary to compare against for compound words.

The last of the rules is the special characters. These are all characters except letters and numbers. Some people may go as far as say that they exclude periods, dashes, and spaces. However, these characters are counted as special characters in my script.

In all, to get a 100% score the following is the minimum requirements:

9-character password
3 numbers
4 letters (2 lower, 2 upper)
2 special characters

It is important to remember that you shouldn’t state that 100% isn’t an absolute necessity. Around 75% is a good start – however, most passwords that people will try would fit around the 50% to 60% range. Consider the following as 100% secure. Remember, although there may be patterns, brute force is not likely to get them due to the complexity.

{a1A1A1a}
Abcd123+-
2}{loCK34

Now, here are some examples of how my password script matches up with some common passwords that people may use.

jbsesp – 29%
password – 47%
Cassandra – 50%
BillGates – 60%
lewis@moten.com - 60%
Lewis283 – 70%

I invite you to also try your luck and see how secure you can build a password. Tweak the code if rules don’t appear to your taste. If you want to see more code or just find some information about me, then visit my website at http://www.lewismoten.com

Download article

Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.

Virus note:All files are scanned once-a-day by Planet Source Code for viruses,but new viruses come out every day, so no prevention program can catch 100% of them.

FOR YOUR OWN SAFETY, PLEASE:
1)Re-scan downloaded files using your personal virus checker before using it.
2)NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.

If you don't have a virus scanner, you can get one at many places on the net including:McAfee.com

Other 9 submission(s) by this author

Report Bad Submission

Your Vote!

Other User Comments

6/30/2002 12:33:03 PM:Vinchenzo
I have done a similar project in VB. I have one criticism to state about your algorithm. Why does it stops adding % if you add more characters than 8. Even if your password is all lowercase, a 15-char password would be 8031810176 times more secure! I know that you focus more on dictionnary attack, but considering brute force should be a good improvement.

7/1/2002 11:02:35 PM:Lewis Moten
Yes, your point is valid. You can adjust the script to keep adding percentage points and cap off at 100%. I capped it off at 20% to let other rules come into play. Perhaps I should have let them all max out to 100% ...

Add Your Feedback!

Note:Not only will your feedback be posted, but an email will be sent to the code's author in your name.

NOTICE: The author of this article has been kind enough to share it with you. If you have a criticism, please state it politely or it will be deleted.

For feedback not related to this particular article, please click here.