Wednesday, May 9, 2012

For Better Password Policies: OWASP Passfault

OWASP Passfault is a free password policy replacement that will make passwords stronger.  It is not your conventional password strength meter.  Even with two-factor authentication, we can do better to improve the most common “what you know” factor.  Even low risk sites benefit.  You can try it here, or read about it here, or look at this presentation, or look at the code.  I’ll summarize the presentation in the next few paragraphs.

 

Why? Password Policies Stink.

Password policies are ineffective.  They block some strong password patterns and they let some weak password patterns fly on by.  Researchers at Carnegie Mellon did some studies on the effect of password policies on password strength.  They state that “Successfully creating a password is significantly more difficult under stricter password policies”.  They also found password length was the only significant predictor of eventual password strength.  In summary: Password Policies Stink.  They don’t work because they do not measure strength, but instead measure how well you comply with good advice.  You can follow the advice and still make terrible passwords.

Why don’t we just measure password strength?  OWASP Passfault measures password strength using the following steps:

1. Identify Patterns

These are patterns that OWASP Passfault identifies currently:
  • Dictionary Patterns (currently English and Spainish)
    • Words with mixed case
    • Words with substituted special characters
    • Words with inserted special characters
    • Misspelled Words
    • 133+ speak substitution
    • Backwords words
  • Keyboard Patterns (Currently US and Russian)
    • Horizontal sequence of keys
    • Diagonal sequence of keys
    • Repeated keys
  • Repeated Pattern
  • Date Patterns
  • Random set including international characters (currently latin and cyrillic)

 

2. Measure Pattern Size

How many passwords fit in a pattern? That is the measure of the pattern.  That’s it.  Nothing fancy.   This leads to a discussion of password patterns strength and a distinction between pattern security and pattern obscurity. In the security world we know that we always favor security over obscurity.  For example, using this measurement, a backwards spelled word is just as strong as a normal word.  This may bother some but this is intentional. Put another way, if a hacker knew how you created your password, would that help him hack it?

 

3. Find Weakest Combination

There will be more than one pattern found in a password, and some will overlap.  Passfault goes through each one and finds the weakest combination.  The number of the passwords that fit in the combination of weakest patterns is the measure of strength.  Another way to state the measurement is this: if a hacker knew what patterns are in a password, how many passwords would he have to attempt to crack the password.

 

4. Estimate Time to Crack

Pattern sizes get large and it is hard to see the risk.  OWASP Passfault makes the risk more tangible by presenting the time to crack.  Not only does this show password strength, it also factors in how the password is protected on the back-end.  If the password is hashed with a weak algorithm, then the time to crack is lower.  This makes it personal.   If a password can be cracked in two days, knowing that compels a user to do better.

 

5. Tie Policy to Strength

The password policy is now easy to configure.  Just slide the bar to the desired strength.  Even for a low-risk site, an administrator can set the setting low, knowing that passwords are strong enough considering risk.  Unlike conventional password policies, this gives the administrator confidence that a stronger policy produces stronger passwords.

 

What’s Next?

Overall OWASP Passfault provides a more intuitive and accurate password policy.  But there is more to do.  Here is a roadmap for OWASP Passfault.  Surely we do not have all the possible password patterns.  If there are some you use, or would like to see, please comment, or join the mailing list and let us know.  If your language is not included, you can help by adding more dictionaries.

1 comment:

Joshbw said...

In general I quite like the general thinking in this project, but the roadmap is concerning. Specifically, the development of the applet is concerning given that client side java is dead (no java plugin in mobile/tablet/metro browsers, and a whole heck of a lot of us that actively don't want java on client machines that do support it). Going with a straight script version would make a lot more sense, bypassing a plugin, but even for a plugin flash is a better option than java.

I would very much encourage the team to not spend cycles on the applet. Otherwise, a very promising project