Forum Software Updated: Show Password Strength

Discussions about the forum and contents
Post Reply
User avatar
LadyGeek
Site Admin
Posts: 47382
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Forum Software Updated: Show Password Strength

Post by LadyGeek » Thu Jun 07, 2012 2:51 pm

To help address the recent concerns on password security, we've installed a new feature which tells you the strength of your password. This feature is present in two areas where you can change existing passwords to new passwords (not the login screen).

1. Creating a password as part of new member registration
2. Changing your password in the User Control Panel

To see this in action, go into the User Control Panel (top left of every page) --> Profile --> Edit account settings --> New password: (type something in).

As you type, the password field will display a color code (red for weak to green for strong) as well as a text indicator for 'Very Weak', 'Weak', 'Good', 'Strong' and 'Very Strong' passwords. Passwords must be between 9 and 100 characters.

Password strength is graded on finding the following criteria in a password:

1) Contains mixed case letters
2) Contains numbers
3) Contains special characters
4) Password exceeds 12 characters

The intent of this feature is to provide guidance only, nothing is changed to prevent you from using an insecure password. The idea is to help those without a technical background choose a good password just by making the color go green.

Image

This is an open source software modification supported by the phpBB community.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
NAVigator
Posts: 2457
Joined: Tue Feb 27, 2007 7:24 am
Location: Iowa

Re: Forum Software Updated: Show Password Strength

Post by NAVigator » Thu Jun 07, 2012 4:38 pm

That is a great feature. Thanks for implementing this and making the Bogleheads forum the best on the internet.

Jerry
"I was born with nothing and I have most of it left."

User avatar
LadyGeek
Site Admin
Posts: 47382
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Forum Software Updated: Show Password Strength

Post by LadyGeek » Sat Jun 09, 2012 2:38 pm

For some really good advice about passwords, see this thread: Another reason why you should never reuse passwords...
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
zaplunken
Posts: 911
Joined: Tue Jul 01, 2008 9:07 am

Re: Forum Software Updated: Show Password Strength

Post by zaplunken » Sat Jun 09, 2012 5:38 pm

Thank you for creating this.

May I please ask a question? The threads I have been following are very technical and I suspect many people, myself included, don't really understand what hashed or salted means or many of the concepts being discussed mean and we are concerned whether our passwords are actually safe based upon their composition and lengths.

I used your new feature and I used the GRC's Interactive Brute Force Password “Search Space” Calculator to test my Vanguard password. I am concerned that they only allow 10 characters. So I took my actual Vg password and substituted the same type of characters for all 10 positions. ie - say my password was K1@nU9=fX3 I used G9(bY7!sL8 so I have the caps and lower, numbers and special characters the same in each position.

So your site tells me it is strong, good.
The GRC's Interactive Brute Force Password “Search Space” Calculator said -
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 19.24 million centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 19.24 years
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 1.00 weeks

Can attempts be done that are as fast as 100 B per second? If yes 19 years seems safe but 100 T per second (I can't imagine anything is that fast???) just 1 week! Doesn't Vanguard lock your access after 3 or 5 incorrect attempts? This is the best I can do with Vanguard allowing just 10 characters.

As another example I ran using another password that is 12 char just lower case letters and numbers allowed and I got-
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.55 million centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 1.55 years
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 13.54 hours

Is this a safe password? GRC rates it lower than the Vanguard password and it is a financial institution!

Lastly, I took a password that has my credit card info. They allow upper and lower case, numbers and special characters and 15 characters and got-
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario: (Assuming one thousand guesses per second) 1.49 hundred thousand trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 1.49 billion centuries
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 1.49 million centuries

I sure feel this is a safe password!

Do places like mutual fund companies, banks, online businesses and utilities (companies that have your credit card for auto billing) limit the number of password attempts and then lock you out? If yes then no one could spend 1 day much less centuries trying to guess my password?

As background, I create these passwords myself and keep them in a word document on my c-drive that is password protected with a 16 character password that is easy for me to remember but not using words or numbers that could be easily found in a dictionary. I have a unique password for every website that has info I want to protect though I use the same userid at most of these sites.

I think a lot of people would be interested in your answers as to how safe these examples are based upon the GRC brute force times. I only feel safe with the last example but as you can see the 1st 2 examples limit me in characters I can use or the length of the password.

Thank you very much for any help you can offer.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Forum Software Updated: Show Password Strength

Post by Mudpuppy » Sat Jun 09, 2012 7:56 pm

To attempt to answer your questions:

Hash - The result of a cryptographic one-way (also called trap-door) function is called a hash. The password is given to the cryptographic hash function and the function spits out the hash. The original password should not be deducible from the resulting hash string (that's the one-way nature).

Salted Hash - The cryptographic hash function is given your password plus something else (the "salt"). This means if you and I both have the same password, but we have different salts, our hashes will be different because the input to the cryptographic hash function will be different. Salts also make it harder to pre-compute "guess"+"hash of guess" tables (called "rainbow tables") because the addition of a salt means there are x different hashes for the same guess (where x is the number of total number of values for the salt).

Online password cracking - The attacker tries passwords on the website, remote server, etc. and sees if the login is successful. The success of this attack is very low as most servers will lock out login attempts after x failures. However, if the attacker doesn't care WHO he compromises (like the guy who was recently trying to break into the accounts here), he can just try the same common passwords across all accounts, hoping that he gets into one of them before the system locks him out. Again, that's how a couple of accounts on this website were compromised a few weeks ago.

Offline password cracking - This is the big concern when it comes to passwords. Someone can test a guess of your password by passing the guess (plus the salt if using salted passwords) to the cryptographic hash function and comparing the resulting hash to your password hash. Once they've found a match, they've found either your original password or something called a "collision" (which is just another password that just happens to have the same hash as yours, which happens from time to time). Offline password cracking can only happen when the attacker uses some other vulnerability to "steal" the password hashes from the server (e.g. the Sony or LinkedIn or several other compromises).

Currently, a single GPU offline password cracker can guess and test somewhere between 100,000 and a few billion passwords per second (depending on the nature of the GPU). However, it is fairly easy to make a multi-GPU rig using commercial hardware. These are called GPU clusters. The latest claim to fame from one of these GPU clusters is 33 billion tests per second (and that's from a few months ago so the record is due to be broken again any day now). As GPUs advance and as people keep parallelizing GPUs into larger clusters, the test rate of an individual GPU cluster will increase. And if you can divide the stolen list of password hashes among many people with a similar GPU cluster, then you can scale the attempt between all of them.

But keep in mind that all of this scariness only happens if the attacker can steal the password hashes from the server in the first place. This is more likely to happen with recreation sites like LinkedIn or Sony gaming websites. For financial websites, any such compromise would cause consumer protection rules to come into play to limit the fiscal damage to the affected customers. That's why it's important to not reuse passwords, because you don't want them to get your Vanguard password because you also used it at LinkedIn.

This is getting much longer than I intended. The long and short of it is: use different passwords for different sites/servers, use a strong password so you don't fall victim to a distributed online hack attempt (where they don't care who they compromise, they just want an account... like the recent attempt on Bogleheads), and never believe it if someone asks you for your password (no matter how good their reason seems) out of the blue.

User avatar
zaplunken
Posts: 911
Joined: Tue Jul 01, 2008 9:07 am

Re: Forum Software Updated: Show Password Strength

Post by zaplunken » Sun Jun 10, 2012 9:51 pm

Thanks Mudpuppy. I pretty much followed that, some I get but some is still confusing. Based upon your last paragraph I think my passwords are strong and since I use unique passwords at important sites I think I'm ok. The only places I use the same simplistic password is bulletin boards where I don't see how I could be harmed other than a lot of bad posts made under my userid or pm's could be sent.

Lollytiger
Posts: 164
Joined: Sun May 08, 2011 10:12 pm

Re: Forum Software Updated: Show Password Strength

Post by Lollytiger » Sun Jun 10, 2012 10:38 pm

If you use different passwords at each site and your important passwords are strong, that is enough. Mudpuppy's explanation is really good.

Bongleur
Posts: 2066
Joined: Fri Dec 03, 2010 10:36 am

Re: Forum Software Updated: Show Password Strength

Post by Bongleur » Mon Jun 11, 2012 12:44 am

>This is an open source software modification supported by the phpBB community.

So now whoever put the back door in the checking software knows what your password is...
Seeking Iso-Elasticity. | Tax Loss Harvesting is an Asset Class. | A well-planned presentation creates a sense of urgency. If the prospect fails to act now, he will risk a loss of some sort.

User avatar
LadyGeek
Site Admin
Posts: 47382
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Forum Software Updated: Show Password Strength

Post by LadyGeek » Mon Jun 11, 2012 9:35 pm

All modifications approved (released) by the phpBB community comply with phpBB development standards and have undergone a comprehensive validation process, which includes security.

phpBB is the most widely used open source bulletin board system in the world. Click on the phpBB link at the bottom of every page for more info.

Mudpuppy: Your insightful explanations are clear and easy to understand. Job well done, thanks.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

MathWizard
Posts: 2957
Joined: Tue Jul 26, 2011 1:35 pm

Re: Forum Software Updated: Show Password Strength

Post by MathWizard » Tue Jun 12, 2012 11:19 am

The password strength is a good addition, but if you watch the address bar, the login
page shows
http://
rather than
https://

This means that the information, login name and password are being
passed plain-text, rather than being encrypted by SSL (secure socket layer).

Since this is a forum, hopefully nobody is sending sensitive information, but since
this is a discussion about password strength, I would add that any password sent
plain-text should never be used for a secured (https://) website

I know that a certificate would be needed, which would cost money, so I assume that
this is why it is not done.

It would suggest warning people not to reuse any password that is sent to a site starting with
http://
for any site that uses
htpps://
and not to send any sensitive information to a page that does not start with
https://

References:

http://blogsecurity.net/wordpress/article-220807
http://www.digitalpurview.com/http-vs-https/
http://en.wikipedia.org/wiki/HTTP_Secure
http://www.snopes.com/computer/internet/https.asp

User avatar
zaplunken
Posts: 911
Joined: Tue Jul 01, 2008 9:07 am

Re: Forum Software Updated: Show Password Strength

Post by zaplunken » Tue Jun 12, 2012 11:51 am

This is why I said I did this and hopefully other will do the same -
So I took my actual Vg password and substituted the same type of characters for all 10 positions. ie - say my password was K1@nU9=fX3 I used G9(bY7!sL8 so I have the caps and lower, numbers and special characters the same in each position.
This allows you to test your actual password by using the same type of characters as your real password. I did this here and at the GPU site.

User avatar
LadyGeek
Site Admin
Posts: 47382
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Forum Software Updated: Show Password Strength

Post by LadyGeek » Tue Jun 12, 2012 12:52 pm

MathWizard wrote: Since this is a forum, hopefully nobody is sending sensitive information, but since this is a discussion about password strength, I would add that any password sent plain-text should never be used for a secured (https://) website

I know that a certificate would be needed, which would cost money, so I assume that this is why it is not done.
In addition to the cost of a certificate, https:// is not a substitute for a poor password. See Alex Frakt's explanation: https access to bogleheads.org?
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

af895
Posts: 116
Joined: Sat Feb 18, 2012 10:15 pm

Re: Forum Software Updated: Show Password Strength

Post by af895 » Wed Jun 13, 2012 6:28 am

XKCD did a comic on password strength you might find amusing and enlightening:

http://xkcd.com/936/

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Forum Software Updated: Show Password Strength

Post by Mudpuppy » Thu Jun 14, 2012 12:20 am

Bongleur wrote:>This is an open source software modification supported by the phpBB community.

So now whoever put the back door in the checking software knows what your password is...
You're already typing your password into the phpBB dialog box to log in. The software already processes your password to compare to the user database. If you don't trust the phpBB software with respects to your forum password, the only option is to never make an account on phpBB forums.

And correct horse battery staple is a classic now. A recent capture the flag contest I was involved in had a password based off that phrase as one of the flags (something like right unicorn capacitor paperclip).

Bongleur
Posts: 2066
Joined: Fri Dec 03, 2010 10:36 am

Re: Forum Software Updated: Show Password Strength

Post by Bongleur » Thu Jun 14, 2012 2:55 am

Mudpuppy wrote: And correct horse battery staple is a classic now. A recent capture the flag contest I was involved in had a password based off that phrase as one of the flags (something like right unicorn capacitor paperclip).
Bar Bar Bar garble mungle barfblip ???
Seeking Iso-Elasticity. | Tax Loss Harvesting is an Asset Class. | A well-planned presentation creates a sense of urgency. If the prospect fails to act now, he will risk a loss of some sort.

User avatar
LadyGeek
Site Admin
Posts: 47382
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Forum Software Updated: Show Password Strength

Post by LadyGeek » Mon Sep 03, 2012 8:28 pm

Bumping thread for those who would like to change their passwords.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
tetractys
Posts: 4596
Joined: Sat Mar 17, 2007 3:30 pm
Location: Along the Salish Sea

Re: Forum Software Updated: Show Password Strength

Post by tetractys » Mon Sep 03, 2012 8:55 pm

¿Can our esteemed tech team?

1st. Modify the password reset so that all new passwords must be strong?
2nd. Reset all passwords, since there's probably lots of users that are still vulnerable, dormant, or both?

I would be more than happy to comply; and I'm sure all our good forum members would be as well. -- Tet

Post Reply