OWASP Passfault
is a free password policy replacement that will make passwords
stronger. It is not your conventional password strength meter. Even
with two-factor authentication, we can do better to improve the most
common “what you know” factor. Even low risk sites benefit. You can
try it
here, or read about it
here, or look at
this presentation, or look at
the code. I’ll summarize the presentation in the next few paragraphs.
Why? Password Policies Stink.
Password policies are ineffective.
They block some strong password patterns and they let some weak password patterns fly on by. Researchers at Carnegie Mellon did some studies on
the effect of password policies on password strength.
They state that “Successfully creating a password is significantly
more difficult under stricter password policies”. They also found
password length was the only significant predictor of eventual password
strength. In summary: Password Policies Stink. They don’t work because
they do not measure strength, but instead measure how well you comply
with good advice. You can follow the advice and still make terrible
passwords.
Why don’t we just measure password strength? OWASP Passfault measures password strength using the following steps:
1. Identify Patterns
These are patterns that OWASP Passfault identifies currently:
- Dictionary Patterns (currently English and Spainish)
- Words with mixed case
- Words with substituted special characters
- Words with inserted special characters
- Misspelled Words
- 133+ speak substitution
- Backwords words
- Keyboard Patterns (Currently US and Russian)
- Horizontal sequence of keys
- Diagonal sequence of keys
- Repeated keys
- Repeated Pattern
- Date Patterns
- Random set including international characters (currently latin and cyrillic)
2. Measure Pattern Size
How many passwords fit in a pattern? That is the measure of
the pattern. That’s it. Nothing fancy. This leads to a discussion of
password patterns strength and a distinction between
pattern security and
pattern obscurity.
In the security world we know that we always favor security over
obscurity. For example, using this measurement, a backwards spelled
word is just as strong as a normal word. This may bother some but this
is intentional. Put another way, if a hacker knew
how you created your password, would that help him hack it?
3. Find Weakest Combination
There will be more than one pattern found in a password, and some
will overlap. Passfault goes through each one and finds the weakest
combination. The number of the passwords that fit in the combination of
weakest patterns is the measure of strength. Another way to state the
measurement is this:
if a hacker knew what patterns are in a password, how many passwords would he have to attempt to crack the password.
4. Estimate Time to Crack
Pattern sizes get large and it is hard to see the risk. OWASP Passfault makes the risk more tangible by presenting the
time to crack. Not only does this show password strength, it also factors in
how the password is protected
on the back-end. If the password is hashed with a weak algorithm, then
the time to crack is lower. This makes it personal. If a password
can be cracked in two days, knowing that compels a user to do better.
5. Tie Policy to Strength
The password policy is now easy to configure. Just
slide the bar to the desired strength.
Even for a low-risk site, an administrator can set the setting low,
knowing that passwords are strong enough considering risk. Unlike
conventional password policies, this gives the administrator confidence
that a stronger policy produces stronger passwords.
What’s Next?
Overall OWASP Passfault provides a more intuitive and accurate password policy. But there is more to do.
Here is a roadmap for OWASP Passfault.
Surely we do not have all the possible password patterns. If there
are some you use, or would like to see, please comment, or join the
mailing list and let us know. If your language is not included, you can
help by adding more dictionaries.