blueshoes php application framework and cms            core_auth
[ class tree: core_auth ] [ index: core_auth ] [ all elements ]

Class: Bs_Password

Source Location: /core/auth/Bs_Password.class.php

Class Overview

Bs_Object
   |
   --Bs_Password

Password class.


Author(s):

Version:

  • 4.3.$Revision: 1.3 $ $Date: 2003/10/29 17:48:36 $

Copyright:

  • blueshoes.org

Methods


Inherited Variables

Inherited Methods

Class: Bs_Object

Bs_Object::Bs_Object()
Bs_Object::getErrors()
Basic error handling: Get *all* errors as string array from the global Bs_Error-error stack.
Bs_Object::getLastError()
Basic error handling: Get last error string from the global Bs_Error-error stack.
Bs_Object::getLastErrors()
Basic error handling: Get last errors string array from the global Bs_Error-error stack sinc last call of getLastErrors().
Bs_Object::persist()
Persists this object by serializing it and saving it to a file with unique name.
Bs_Object::setError()
Basic error handling: Push an error string on the global Bs_Error-error stack.
Bs_Object::toHtml()
Dumps the content of this object to a string using PHP's var_dump().
Bs_Object::toString()
Dumps the content of this object to a string using PHP's var_dump().
Bs_Object::unpersist()
Fetches an object that was persisted with persist()

Class Details

[line 121]
Password class.

features:

  • generate pronounceable passwords
  • detect bad passwords on different levels
  • detect hack attacks
missing: wish list:

KNOWLEDGE BASE

should users be able to choose their own password? if so, they usually choose weak things. if you give them something like F4@!ad0T$ they will write it on a paper and stick it on the monitor.

Announcing the Standard for Automated Password Generator http://www.eff.org/Privacy/Newin/New_nist/fips181.txt

creating passwords using the '4th-order Markov chain', see message http://www.phpbuilder.com/annotate/message.php3?id=1005436 follow up http://www.phpbuilder.com/annotate/message.php3?id=1006236 follow up http://www.phpbuilder.com/annotate/message.php3?id=1007044

*** how to make your system secure: ************************************************************************************* 1) don't allow brute force attacks. limit the number of login attempts or double the timeout time (see below). 2) don't let ppl choose stupid passwords. stupid passwords are:

  • the most and well known used passwords (like 1234, password, letmein, hello etc)
  • names (first names)
  • birthday dates (dates at all)
  • things that lay around the computer
  • dictionary words
  • dictionary words with attached numbers, eg 'computer98'
but as long as you stop bruteforce, this is not the weak point. 3) log all login attempts 4) block ip's and usernames after too many wrong login attempts. the real users need to email/call to reactivate. 5) maybe use (german)'streichlisten' (lists of numbers, the next number has to be typed in along with user/pass each time). 6) don't make usernames public. if the password AND username has to be guessed, then it's much more frustrating for a hack. don't use well known usernames like 'root', 'admin', 'guest'. 7) never ever allow username and password to be equal.

*** number of login attempts: *******************************************************************************************

sam and andrej think it's a bad and common thing to allow 3 login attempts. it's not enough. because the first time the password is typed in, one does it not carefully at all. then it's wrong. now on thinks that he misspelled it. so one types it again, more or less carefully. wrong again, yuck, panic. now one goes (i have done that myself alot of times) and types it with 1 finger, letter by letter. and this is where you mostly misspell it anyway. so the 3 attempts are gone, and the user didn't even try another password. or thinks about if he has changed it lately. or whatever.

limiting the user attempts isn't too bad. bruteforce attacks have to be blocked, that's for sure. but the chance/risk that an attacker finds out the password in 10 attempts compared to 3 attempts isn't much bigger.

our favorite way is the unix one: double the timeout time each time a wrong password has been entered, and reset it when the password was ok. this has been implementd in the Bs_Session class.

i think that logging all login attempts (with datetime, user/pass, ip etc) is a very good idea. the Bs_Session class has a few more neat features. for example hacker detection (if things like letmein, root, password etc are tried).

*** the security of passwords: ******************************************************************************************

David Altherr has made a nice list of how long it takes to brute-force what sort of password. see http://www.phpbuilder.com/annotate/message.php3?id=1006410

Some 'max time to crack' probabilities i calculated based on the assumption of an 8 char password and the estimation that we can brute force about a million possibilities a second (a very low estimation considering current technologies have been clocked at 2,676,400 /sec ), you can adjust figures linearly as desired:

 +----------+------------+----------+------------------------------------------------------------------------------------+
 | EXAMPLES | OPERATIONS | TIME     | DESCRIPTION                                                                        |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | abababab | 4.14E8     | 3.45 min | the alternating vowel and constant solution as written with lower case characters  |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | abababab | 8.28E8     | 6.91 min | the alternating vowel and constant solution as written with lower case characters  |
 | babababa |            |          | and random starting vowel or character                                             |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | ?        | 5.30E10    | 14.74 h  | the alternating solution but with numbers and lower case characters                |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | 3bA0aBA9 | 1.46E12    | 16.95 d  | the alternating solution but with numbers and characters, lower and upper case     |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | a0bc3z2a | 2.82E12    | 32.65 d  | a totally random alphanumeric solution with only lower case                        |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 | A0bc3Z2a | 2.18E14    | 6.92 y   | a totally random alphanumeric solution                                             |
 |----------+------------+----------+------------------------------------------------------------------------------------+
 

cracking 'directory-word' passwords: Assuming a dataset of 100,000 words from the dictionary with length of seven or less, two words joined: 1.00E10 operations 2.77 hours Assuming a dataset of 50,000 words from the dictionary with length of six or less, three words joined: 1.25E14 operations 3.96 years

comments: over the web it will never be possible to brute-force at that speed. --andrej *************************************************************************************************************************

dependencies:




Tags:

pattern:  singleton: (pseudostatic)
access:  public
version:  4.3.$Revision: 1.3 $ $Date: 2003/10/29 17:48:36 $
copyright:  blueshoes.org
author:  andrej arn <at blueshoes dot org>


[ Top ]


Class Methods


constructor Bs_Password [line 131]

Bs_Password Bs_Password( )



[ Top ]

method createPronounceablePassword [line 172]

string createPronounceablePassword( [int $length = 8], [string $charType = 'lnn'], [bool $confuseSafe = FALSE], [string $startWith = 'random'])

creates a pronounceable password.

the thing that makes (pass)words pronounceable is the changing of vowels and consonants.

param $charType: 3 characters. the 1st one describes the case of the letters.

  • 'l' = lowercase (default)
  • 'u' = uppercase
  • 'b' = both
the 2nd tells if numbers should be used (n=no, y=yes) the 3rd tells if special chars should be used (n=no, y=yes)

examples:

  • ofenisep - xejoyami
  • aqijuday - vurofopi
  • pisifeqa - uvixasug
note: there's always the risk that an inappropriate word (or part of it) is being created. so maybe you want to let the ppl know that the password was generated randomly (using random letters) and not chosen from a list of words.

acknowledgment: Tomas Krojzl xkrot05@centrum.cz http://www.phpbuilder.com/annotate/message.php3?id=1000827




Tags:

todo:  make use of numbers and special characters.


Parameters:

int   $length   the length of the generated password. default is 8.
string   $charType   (default is 'lnn', see above)
bool   $confuseSafe   (default is FALSE. if set to TRUE, the characters i/I l/L o/O 1 (one) and 0 (zero) won't be used).
string   $startWith   one of 'random' (default), 'wovel', 'consonant'. the first letter will be that.

[ Top ]

method isBadPassword [line 374]

bool isBadPassword( string $password)

tells if the given password is insecure.



Tags:

todo:  write code


Parameters:

string   $password  

[ Top ]

method isBoyName [line 291]

bool isBoyName( string $name)

tells if the given $name is a boy's first name.



Tags:

see:  Bs_Password::isGirlName(), Bs_Password::isFirstName()
throws:  bs_exception
access:  public


Parameters:

string   $name  

[ Top ]

method isDictionaryWord [line 267]

bool isDictionaryWord( string $word)

tells if $word is a dictionary word.

this is useful if you don't want users to choose such words. currently we only have an english dictionary to check.




Tags:

throws:  bs_exception (db)
access:  public


Parameters:

string   $word  

[ Top ]

method isFirstName [line 339]

bool isFirstName( string $name)

tells if the given $name is a girl's or boy's first name.



Tags:

see:  Bs_Password::isBoyName(), Bs_Password::isGirlName()
throws:  bs_exception
access:  public


Parameters:

string   $name  

[ Top ]

method isGirlName [line 315]

bool isGirlName( string $name)

tells if the given $name is a girl's first name.



Tags:

see:  Bs_Password::isBoyName(), Bs_Password::isFirstName()
throws:  bs_exception
access:  public


Parameters:

string   $name  

[ Top ]

method isSilly [line 363]

bool isSilly( string $password)

tells if the given password is a silly password.

something like 'secret', 'password', 'letmein' etc.




Tags:

todo:  write code


Parameters:

string   $password  

[ Top ]

method looksLikeHack [line 230]

bool looksLikeHack( string $password, [string $username = null])

tells if the user/pass combination looks like a hack attempt.

if $username is empty then the method only looks at the password.




Tags:

throws:  bs_exception if we don't have a database with that info (or no db connection).


Parameters:

string   $password  
string   $username  

[ Top ]


Documentation generated on Mon, 29 Dec 2003 21:12:31 +0100 by phpDocumentor 1.2.3