[line 121]
Password class.
features:
- generate pronounceable passwords
- detect bad passwords on different levels
- detect hack attacks
missing: wish list:
KNOWLEDGE BASE
should users be able to choose their own password? if so, they usually choose weak things. if you give them something like F4@!ad0T$ they will write it on a paper and stick it on the monitor.
Announcing the Standard for Automated Password Generator http://www.eff.org/Privacy/Newin/New_nist/fips181.txt
creating passwords using the '4th-order Markov chain', see message http://www.phpbuilder.com/annotate/message.php3?id=1005436 follow up http://www.phpbuilder.com/annotate/message.php3?id=1006236 follow up http://www.phpbuilder.com/annotate/message.php3?id=1007044
*** how to make your system secure: ************************************************************************************* 1) don't allow brute force attacks. limit the number of login attempts or double the timeout time (see below). 2) don't let ppl choose stupid passwords. stupid passwords are:
- the most and well known used passwords (like 1234, password, letmein, hello etc)
- names (first names)
- birthday dates (dates at all)
- things that lay around the computer
- dictionary words
- dictionary words with attached numbers, eg 'computer98'
but as long as you stop bruteforce, this is not the weak point. 3) log all login attempts 4) block ip's and usernames after too many wrong login attempts. the real users need to email/call to reactivate. 5) maybe use (german)'streichlisten' (lists of numbers, the next number has to be typed in along with user/pass each time). 6) don't make usernames public. if the password AND username has to be guessed, then it's much more frustrating for a hack. don't use well known usernames like 'root', 'admin', 'guest'. 7) never ever allow username and password to be equal.
*** number of login attempts: *******************************************************************************************
sam and andrej think it's a bad and common thing to allow 3 login attempts. it's not enough. because the first time the password is typed in, one does it not carefully at all. then it's wrong. now on thinks that he misspelled it. so one types it again, more or less carefully. wrong again, yuck, panic. now one goes (i have done that myself alot of times) and types it with 1 finger, letter by letter. and this is where you mostly misspell it anyway. so the 3 attempts are gone, and the user didn't even try another password. or thinks about if he has changed it lately. or whatever.
limiting the user attempts isn't too bad. bruteforce attacks have to be blocked, that's for sure. but the chance/risk that an attacker finds out the password in 10 attempts compared to 3 attempts isn't much bigger.
our favorite way is the unix one: double the timeout time each time a wrong password has been entered, and reset it when the password was ok. this has been implementd in the Bs_Session class.
i think that logging all login attempts (with datetime, user/pass, ip etc) is a very good idea. the Bs_Session class has a few more neat features. for example hacker detection (if things like letmein, root, password etc are tried).
*** the security of passwords: ******************************************************************************************
David Altherr has made a nice list of how long it takes to brute-force what sort of password. see http://www.phpbuilder.com/annotate/message.php3?id=1006410
Some 'max time to crack' probabilities i calculated based on the assumption of an 8 char password and the estimation that we can brute force about a million possibilities a second (a very low estimation considering current technologies have been clocked at 2,676,400 /sec ), you can adjust figures linearly as desired:
+----------+------------+----------+------------------------------------------------------------------------------------+
| EXAMPLES | OPERATIONS | TIME | DESCRIPTION |
|----------+------------+----------+------------------------------------------------------------------------------------+
| abababab | 4.14E8 | 3.45 min | the alternating vowel and constant solution as written with lower case characters |
|----------+------------+----------+------------------------------------------------------------------------------------+
| abababab | 8.28E8 | 6.91 min | the alternating vowel and constant solution as written with lower case characters |
| babababa | | | and random starting vowel or character |
|----------+------------+----------+------------------------------------------------------------------------------------+
| ? | 5.30E10 | 14.74 h | the alternating solution but with numbers and lower case characters |
|----------+------------+----------+------------------------------------------------------------------------------------+
| 3bA0aBA9 | 1.46E12 | 16.95 d | the alternating solution but with numbers and characters, lower and upper case |
|----------+------------+----------+------------------------------------------------------------------------------------+
| a0bc3z2a | 2.82E12 | 32.65 d | a totally random alphanumeric solution with only lower case |
|----------+------------+----------+------------------------------------------------------------------------------------+
| A0bc3Z2a | 2.18E14 | 6.92 y | a totally random alphanumeric solution |
|----------+------------+----------+------------------------------------------------------------------------------------+
cracking 'directory-word' passwords: Assuming a dataset of 100,000 words from the dictionary with length of seven or less, two words joined: 1.00E10 operations 2.77 hours Assuming a dataset of 50,000 words from the dictionary with length of six or less, three words joined: 1.25E14 operations 3.96 years
comments: over the web it will never be possible to brute-force at that speed. --andrej *************************************************************************************************************************
dependencies:
Tags: