Difference between revisions of "Password length & complexity"

From OWASP
Jump to: navigation, search
(Introduction)
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
==Status==
 +
Under review
 +
 
== Introduction ==
 
== Introduction ==
A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card.  Coupled with user identification, it the most common form of identification and authorization mechanism implemented in web applications.  Below are advantages and disadvantages on using a password as authentication mechanism.
+
A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card.  Coupled with user identification, it is the most common form of identification and authorization mechanism implemented in web applications.  Below are advantages and disadvantages on using a password as authentication mechanism.
  
 
'''Pros'''
 
'''Pros'''
Line 13: Line 16:
  
 
With best practices and proper implementation guidelines, the use of password as an authentication mechanism can be a quick and easy solution.
 
With best practices and proper implementation guidelines, the use of password as an authentication mechanism can be a quick and easy solution.
 
[[Category:OWASP Java Project]]
 
  
 
== Best practices ==
 
== Best practices ==
Line 24: Line 25:
 
Password length considers the minimum and maximum length of characters comprising the password of your users.  For ease of changing this length, its implementation can be configurable possibly using a properties file or xml configuration file.   
 
Password length considers the minimum and maximum length of characters comprising the password of your users.  For ease of changing this length, its implementation can be configurable possibly using a properties file or xml configuration file.   
  
* Minimum length.  Passwords should be at least eight (8) characters long.  Combining this length with complexity makes a password difficult to guess and/or brute forced.
+
* Minimum length.  Passwords should be at least eight (8) characters long.  Combining this length with complexity makes a password difficult to guess and/or brute force.
 
* Maximum length.  Remember, people tend to forget their passwords easily.  The longer the password, the more chances people will mistakenly use them in your system.
 
* Maximum length.  Remember, people tend to forget their passwords easily.  The longer the password, the more chances people will mistakenly use them in your system.
  
 
'''Password Complexity'''
 
'''Password Complexity'''
  
* Password characters should be a combination of alphanumeric characters.  Alphanumeric characters consist of letters, numbers, punctuation mark, mathematical and other conventional symbols.  See implementation below for the exact characters referred to.
+
* Password characters should be a combination of alphanumeric characters.  Alphanumeric characters consist of letters, numbers, punctuation marks, mathematical and other conventional symbols.  See implementation below for the exact characters referred to.
* For change password functionality, if possible, keep a history of old passwords used for the past 2 months. In this way, the user cannot change password that was used a couple of months back.
+
* For change password functionality, if possible, keep a history of old passwords hashes used. You should not store the actual passwords to protect against brute forcing if the database file is compromised. In this way, the user cannot change to a password that was used a couple of months back.
 +
 
 +
'''Password Generation'''
 +
 
 +
The OWASP Enterprise Security API for Java has a few methods that simplify the task of generating quality passwords, as well as determining password strength.
 +
 
 +
* public void verifyPasswordStrength(String newPassword, String oldPassword)
 +
The verifyPasswordStrength() method accepts a new password and the current password. First, it checks that the new password does not contain any 3 character substrings of the current password. Second, it checks if the password contains characters from each of the following character sets: CHAR_LOWERS, CHAR_UPPERS, CHAR_DIGITS, CHAR_SPECIALS. Finally, it calculates the password strength by multiplying the length of the new password by the number of character sets it is comprised of. A value of less than 16 is considered weak and an exception will be thrown in this case. At some point in the future, this value will be a user configurable option.
 +
 
 +
* public String generateStrongPassword()
 +
The generateStrongPassword() method uses the ESAPI randomizer to build strong passwords comprised of upper & lower case letters, digits, and special characters. Currently, all character sets are hard-coded in ESAPI Encoder.java. There are plans to make these user configurable. The source code is available at [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html Authenticator.java]. For more information on OWASP ESAPI follow this link: [[ESAPI|OWASP ESAPI]]
 +
 
 +
'''Sample Code'''
 +
 
 +
Below is a sample Servlet that uses the above methods to create a new password, and compare it to a blank string.
 +
 
 +
        import org.owasp.esapi.*;
 +
        import org.owasp.esapi.interfaces.IAuthenticator;
 +
        import java.io.*;
 +
        import javax.servlet.*;
 +
        import javax.servlet.http.*;
 +
       
 +
        public class generateStrongPassword extends HttpServlet {
 +
       
 +
                public static final String RESOURCE_DIRECTORY = "org.owasp.esapi.resources";
 +
                private static String resourceDirectory = System.getProperty(RESOURCE_DIRECTORY);
 +
       
 +
                public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
 +
                        response.setContentType("text/html");
 +
                        IAuthenticator passInstance = ESAPI.authenticator();
 +
                        PrintWriter out = response.getWriter();   
 +
                        String password = passInstance.generateStrongPassword();
 +
       
 +
                        try {
 +
        passInstance.verifyPasswordStrength(password, "");
 +
        out.println("New password is strong!");
 +
        } catch (Exception e) {
 +
        out.println("New password is not strong enough");
 +
        }
 +
                        out.println(password);
 +
                }       
 +
      }
  
== Implementing Password Length & Complexity ==
 
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 14:42, 28 January 2011

Status

Under review

Introduction

A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card. Coupled with user identification, it is the most common form of identification and authorization mechanism implemented in web applications. Below are advantages and disadvantages on using a password as authentication mechanism.

Pros

  • easy to implement
  • inexpensive (doesn't require sophisticated hardware)
  • easy to use (unless you forget it)

Cons

  • easy to guess
  • can be sniffed or brute forced
  • users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard

With best practices and proper implementation guidelines, the use of password as an authentication mechanism can be a quick and easy solution.

Best practices

Password length and complexity with proper password management makes the use of password as an authentication mechanism worthwhile to consider in your web application requirements. Below are best practices for password length and complexity.

Password length

Password length considers the minimum and maximum length of characters comprising the password of your users. For ease of changing this length, its implementation can be configurable possibly using a properties file or xml configuration file.

  • Minimum length. Passwords should be at least eight (8) characters long. Combining this length with complexity makes a password difficult to guess and/or brute force.
  • Maximum length. Remember, people tend to forget their passwords easily. The longer the password, the more chances people will mistakenly use them in your system.

Password Complexity

  • Password characters should be a combination of alphanumeric characters. Alphanumeric characters consist of letters, numbers, punctuation marks, mathematical and other conventional symbols. See implementation below for the exact characters referred to.
  • For change password functionality, if possible, keep a history of old passwords hashes used. You should not store the actual passwords to protect against brute forcing if the database file is compromised. In this way, the user cannot change to a password that was used a couple of months back.

Password Generation

The OWASP Enterprise Security API for Java has a few methods that simplify the task of generating quality passwords, as well as determining password strength.

  • public void verifyPasswordStrength(String newPassword, String oldPassword)

The verifyPasswordStrength() method accepts a new password and the current password. First, it checks that the new password does not contain any 3 character substrings of the current password. Second, it checks if the password contains characters from each of the following character sets: CHAR_LOWERS, CHAR_UPPERS, CHAR_DIGITS, CHAR_SPECIALS. Finally, it calculates the password strength by multiplying the length of the new password by the number of character sets it is comprised of. A value of less than 16 is considered weak and an exception will be thrown in this case. At some point in the future, this value will be a user configurable option.

  • public String generateStrongPassword()

The generateStrongPassword() method uses the ESAPI randomizer to build strong passwords comprised of upper & lower case letters, digits, and special characters. Currently, all character sets are hard-coded in ESAPI Encoder.java. There are plans to make these user configurable. The source code is available at Authenticator.java. For more information on OWASP ESAPI follow this link: OWASP ESAPI

Sample Code

Below is a sample Servlet that uses the above methods to create a new password, and compare it to a blank string.

       import org.owasp.esapi.*;
       import org.owasp.esapi.interfaces.IAuthenticator;
       import java.io.*;
       import javax.servlet.*;
       import javax.servlet.http.*;
       
       public class generateStrongPassword extends HttpServlet {
       
               public static final String RESOURCE_DIRECTORY = "org.owasp.esapi.resources";
               private static String resourceDirectory = System.getProperty(RESOURCE_DIRECTORY);
       
               public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
                       response.setContentType("text/html");
                       IAuthenticator passInstance = ESAPI.authenticator();
                       PrintWriter out = response.getWriter();    
                       String password = passInstance.generateStrongPassword();		
       
                       try {
	        		passInstance.verifyPasswordStrength(password, "");
	        		out.println("New password is strong!");
	        	} catch (Exception e) {
	        		out.println("New password is not strong enough");
	        	}
                       out.println(password);
               }        
      }