Filed with Developers better password strength checker [Case 59375]

[SoftDux]

Hi,

Can you please implement a better password strength checker for more secure passwords.

Have a look here: xkcd: Password Strength


Basically, cPanel doesn't recognize a password like "correct battery horse staple" (as in the example) since it doesn't have mixed case, numbers or punctuation. Yet this password is far more secure than a 8 or 10 digit non-pronounceable, and often non-rememberable password which users forget and have to write down in anycase.

According to How Secure Is My Password?, "correct battery horse staple" will take "About 54 octillion years" to hack,

whereas a "secure password" like "y85q_QMS" will take "About 57 day", or a password like "xO]JF!XrV7bd" will take "About 77 million years" to hack.

The last one is more secure, but much more difficult to remember, and as such users loose / forget them and constantly need to reset their passwords, or simply ignore the password generator's passwords and use their own much weaker passwords.



With the feature that I'm suggesting it would be easy to get users to use 4 totally random, but easy to remember passwords instead

[monarobase]

"correct battery horse staple" will take a long time to brute force without dictionary but I would be quite interested to know how long it would take using a dictionary to do the brute force.

[cPanelDavidG]

Steve Gibson had an interesting note to make about inaccuracies in the entropy calculations shown on that XKCD comic: Security Now! Transcript of Episode #313

I could write a lot here, but Steve, as always, phrases it much better than I can .

[monarobase]

Thanks, he says it's 550 years at a thousand guesses per second with a dictionary of only 2048 words… not bad !

Also I've noticed that some very poor passwords get through the current system with quite a high score :

For instance : 13467982
Score : 86%

1346798
Score : 75%

134679
Score : 64%

At 1000 guesses per second that would take 134 seconds to brute force the 64%

And just to make it worse random 6 letter password like this one :

67BaHz

Only gets 48% even though it is a lot stronger !

But even this password is way to simple from my point of view.

[Kent Brockman]

I agree with the request, but as cPanel is used by several language speaking admins and users, to complete this request would be needed to have huge dictionaries for every supported language. It also may be done using aspell, huh?
The easy way is to allow thru Tweak Settings the input of lenghty passwords, and add the corresponding note in the password input boxes.

[monarobase]

I'm not sure you need dictionaries, but just a better algorithm that doesn't give long passwords poor ratings.

[JYF]

I agree. This password strength checker is a shame, and a real annoyance and time-waster.

See also this now famous /http://www.baekdal.com/insights/password-security-usability

[cPanelDavidG]

I'm not sure you need dictionaries, but just a better algorithm that doesn't give long passwords poor ratings.

What designates a password as being a long password?

Here are some arguably weak passwords that are arguably long, for username: example

password
examplepassword (currently not permitted)
passwordforaccountexample (currently not permitted)
password111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
111111password111111

[monarobase]

I'm not against checking against a dictionary but it has to be done in an intelligent manner.

Pasword111111

Is quite weak i agree

But you need to just not count the word password or give it a very small importance

Password84682

Is stronger than

84682

Not that either are strong.

A password like

PasswordIsStronghJalkj6h

Should get a good score

So should


11111111111111hjKjdUjd27)


I think the score should not have a negative scoring but a low but existing scoring for some words. Using a negative scoring method means that a good password associated with a poor pasword could get a bad score where as it should get a higher score than the good password alone.

[cPanelDavidG]

I'm not against checking against a dictionary but it has to be done in an intelligent manner.

Pasword111111
...
I think the score should not have a negative scoring but a low but existing scoring for some words. Using a negative scoring method means that a good password associated with a poor pasword could get a bad score where as it should get a higher score than the good password alone.

To summarize, entropy of the password itself should be a significant factor in password scoring.

numbers = poor
letters = not as bad, but still poor
numbers + letters = okay
different case letters = okay
numbers + different case letters = good
adding symbols to any of the above = bumps it up a degree of quality
.. and so on...

While an outsider doesn't inherently know how complex your password is and "should" be assuming maximum complexity, simply making a password more difficult to predict by means of more entropy should still weigh into password scoring.

Note, long sequences (3 or more sequential characters) of identical characters can be considered a weakness to the password. This point was brought up several weeks after the XKCD comic by Steve Gibson after someone accused Apple of explicitly blocking password haystacking.

[Kent Brockman]

numbers = poor
letters = not as bad, but still poor
numbers + letters = okay
different case letters = okay
numbers + different case letters = good
adding symbols to any of the above = bumps it up a degree of quality
.. and so on...

Oh and don't forget: a phrase with several words may also be good enough, since most bruteforce dictionary attacks are looking for single words, not phrases.

Note, long sequences (3 or more sequential characters) of identical characters can be considered a weakness to the password.

Only if the sequence is the same always, like in "ppaasswwoorrdd".
Not sure. How long may take to crack a password like this, for instance: cooLLL__.__Passswwwwooorrdd


The problem isn't how many letters or how many numbers do a person use in her passwords.
I can recall an old project I had to debug, where the passwords of users was stored in plain text. The db had 12000 users registered, and 8000 of them had password "12345". The real problem is the lack of security culture in the masses.

[monarobase]

3 letters following can be considered a weakness but should not count in a negative manner.

%4/3CG7U;QLoMMMMMM

is stronger than :

%4/3CG7U;QLoM

But not much stronger, just a bit stronger.

[Kent Brockman]

The javascript code behind How Secure Is My Password? is really revealing by simplicity.
Although, I can recall that the password validator that cPanel does uses is the one from Yahoo UI. Does it?

[sunnyyadav]

I got meaningful information from this forum. Keep it up.

Thanks

[cPanelDavidG]

The javascript code behind How Secure Is My Password? is really revealing by simplicity.
Although, I can recall that the password validator that cPanel does uses is the one from Yahoo UI. Does it?

IIRC it does.

I spoke with our Product Manager about this and we agreed that perhaps we should just replace this with something that rates the strengths of passwords on cryptographic strength (basically, # of bits of entropy). Admittedly, it wouldn't take into account things like were mentioned on XKCD or the prior discussion of password padding unless they were cryptographically stronger but it would be a notable step forward.