Password Quality Check
Denisha Cerniglia
Passwords are the bloodline of data and online security, but our research on the password habits in the U.S. shows that less than half of Americans feel confident that their password is secure. Is your password secure? We built this password checker tool to help you find that out yourself, so try it out now!
Long passwords are more secure than short passwords. We recommend using passwords that are anywhere from 16 to 20 characters long, although nearly half of Americans use passwords of eight characters or fewer.
How or where gnome-initial-setup checks for quality of password during first user login? I'm trying to customize the image to force users to use longer and more complicated passwords (then 6 as is currently set) but it seems that initial setup has its own way to check the rules - it seems it is ignoring both pam.d settings as well as /etc/security/pwquality.conf (by browsing the code it seems it is using pwquality lib however).
I have found out that the password checks are hardcoded(!) directly into ubiquity. Not very nice solution especially when there is eg. python module for pwquality that can do the proper check and also make it configurable using standard conf file used also by pam.d.
I have a web application and I have implemented a check on the browser to ensure that a user sets only strong passwords.A company that we have called to check security vulnerabilities pointed out that this is not enough because using some hacking a user can ignore the check and set a weak password.
I do not understand how this can be a security vulnerability. Why would someone hack the security check just to set a weak password? Someone expert enough to hack the web application will understand the importance of using a strong password.
My point is: given that, to have an acceptable user experience, we have to do the check on the client side, there has to be a good reason, a real use case that creates a possible vulnerability to justify a duplication of the check on the server side.
Reading the answers, so far, it seems that the only use case that can create a vulnerability is when the javascript does not work. This does not seem a problem for me because the submit button is disabled by default.
The rule when writing a server application is simply never trust what comes from client. Checks done client side are great as they allow a nice user experience with nice popups and immediate display. But as anything can happen, from a disabled javascript browser to a user using a scripting language to simulate a browser, all checks must be done (again) server side.
BTW: you as the dev can propose solutions, but the client does express requirements. If you do not agree with them you can ask for clarification and propose other ways, but in the end the client will decide.
If you work in a big company and you have to change your password every 2 or 3 months a few people will start bypassing the client-side check of password strength to use shorter or better to memorize passwords.If these passwords are used to derive cryptographic keys, e.g. for multi-user encryption of files, it becomes horrible...
Let's say a user downloads an adblocker like Adblock Plus or uBlock Origin. Then, due to the scripts being misconfigured, one of these adblockers accidentally blocks the script you were using to verify password security. Now the user can enter 1234 as a password without any server-side checks in place to prevent it.
Or alternatively, maybe local caching gave the user an older version of your script. Maybe they've saved your webpage as a static HTML file on their desktop. Maybe the user's PC has a virus that altered the content of your script. As the common saying goes...
You mention that both the check & the enabling of the submit button are one script, so it's safe even if some scripts are loaded and others aren't. How sure are you that those two functions will always be in the same script?
I suppose what I'm saying is that it sounds like, as things stand right now, it would mean someone intentionally doing something they know is a bad idea in order for them to get a bad password, and you're ok with that; you're trying to prevent accidents, not intentional stupidity.
The thing that worries me is that if this script ever gets refactored & split up, or intentional stupidity becomes your problem, or some attacker writes a client side script ostensibly to help people,... then you're in trouble.
One possible problem is that it only takes one wise guy (that might be knowledgeable enough to use that technique to use a password that fails the checker and is nevertheless secure!) to find a way to hack it - and distribute the hack to a few other people (that s/he probably deems responsible enough) that will eventually give it to people against whose lack of security competence the solution was supposed to guard.
Whatever rules you set up, they must be enforced at the server level in every case. This is true for password setting, and for mandatory fields in forms for example (e.g. if a phone number is required when signing up, it should be checked in the server).
But in any cases, you cannot rely on the client at all. Some people will block JS. Some people will block flash. At some point you may open your API to third parties, which may or may not enforce your rules for you.
Definitely prefer to use the Microsoft tool in this case so not sharing with 3rd party or entrusting java scripts. Have not looked into how implemented but pretty sure pw is hashed, then hash is compared to known bad hashes (like a rainbow table).
Have you ever wondered, how secure is my password? Check out this amazingly fast password security tool and check password strength. Make sure that you use a mix of upperletters, special characters and numbers to make complex password
Caution: Any website asking you to submit your real password to determine strength could be using your submission against your interests
Use another similar, but not identical password submission to get the same information.
For ex: If your password is Dogdog32 use CatCat23
Happy New Year! I hope everyone has had a great holiday season so far and is excited and ready for a new year full of auditing excitement! For the first post of the year I thought we would discuss a topic more for fun and something different in the...
KeePass 1.26 / 2.23 and newer.KeePass uses an advanced algorithm for estimating the quality/strength ofpasswords. It searches for patterns, like e.g.popular passwords (based on a built-in list of about 10000 most common passwords;variations by upper-/lower-case and L33t substitutions are detected),repeated sequences, numbers (consisting of multiple digits),constant difference sequences, etc.For each pattern combination covering the whole password, the cost(number of bits required to encode the data and the order of thepattern identifiers) is calculated.For encoding pattern identifiers, an optimal static entropy encoder is used.Each single password character forms a pattern of length 1 and is encodedusing a character space-dependent damped static entropy encoder.The minimum pattern combination cost is used as the finalquality estimation.
KeePass 1.25 / 2.22 and earlier.These old versions of KeePass used a simple algorithm for estimating the quality/strength ofpasswords. It checks which character spaces are used (upper-case, lower-case,digits, special characters, ...). Repeated characters and character differencesresult in penalties. Finally, KeePass tests whether the whole password ispopular (based on a built-in list of about 1500 most common passwords), and if so,the final estimation is only 1/8th of the statistical rating.
krb5-strength provides a password quality plugin for the MIT Kerberos KDC(specifically the kadmind server) and Heimdal KDC, an external passwordquality program for use with Heimdal, and a per-principal password historyimplementation for Heimdal. Passwords can be tested with CrackLib,checked against a CDB or SQLite database of known weak passwords with sometransformations, checked for length, checked for non-printable ornon-ASCII characters that may be difficult to enter reproducibly, requiredto contain particular character classes, or any combination of thesetests.
Heimdal includes a capability to plug in external password quality checksand comes with an example that checks passwords against CrackLib.However, in testing at Stanford, we found that CrackLib with its defaulttransform rules does not catch passwords that can be guessed using thesame dictionary with other tools, such as Jack the Ripper. We thendiscovered other issues with CrackLib with longer passwords, such as somebad assumptions about how certain measures of complexity will scale, andwanted to impose other limitations that it didn't support.
This plugin provides the ability to check password quality against thestandard version of CrackLib, or against a modified version of CrackLibthat only passes passwords that resist attacks from both Crack and Jackthe Ripper using the same rule sets. It also supports doing simplerdictionary checks against a CDB database, which is fast with very largedictionaries, or a SQLite database, which can reject all passwords withinedit distance one of a dictionary word. It can also impose otherprogrammatic checks on passwords such as character class requirements.
If you're just now starting with password checking, I recommend using theSQLite database with a large wordlist and minimum password lengths. Wefound this produced the best results with the least user frustration.
For Heimdal, krb5-strength includes both a program usable as an externalpassword quality check and a plugin that implements the dynamic moduleAPI. For MIT Kerberos (1.9 or later), it includes a plugin for thepassword quality (pwqual) plugin API.
krb5-strength can be built with either the system CrackLib or with themodified version of CrackLib included in this package. Note, however,that if you're building against the system CrackLib, Heimdal includes inthe distribution a strength-checking plugin and an external password checkprogram that use the system CrackLib. With Heimdal, it would probably beeasier to use that plugin or program than build this package unless youwant the modified CrackLib, one of the other dictionary types, or theadditional character class and length checks.
93ddb68554