ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Server platforms Toolkit

Strong passwords a must for web apps

Leonardo Esposito Builder.com

Published: 25 Mar 2003 14:58 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Sure, passwords alone can't secure your Web-based system. But you can still take measures to make them more effective. For one thing, you can build in some functionality that forces your users to adopt strong passwords. You can also carefully consider where you store those passwords and take advantage of encryption classes to protect them.

Strong passwords
Don't dismiss the importance of using strong passwords. Sometimes, passwords are the only barrier between hackers and a series of potentially harmful operations. Strong passwords meet at least the following requirements:

  • They're at least eight characters long; 12 or more is better.
  • They contain elements from any of the following groups: lowercase letters, uppercase letters, nonalphanumeric symbols (punctuation, *, #, $, and so forth), and digits.
  • They expire frequently -- every 90 days or sooner.

Password history and other constraints
You can require as policy that a password history be maintained to prevent the same password from being renewed over and over. Other, stricter rules are also possible, such as requiring certain elements to appear in specific positions within the password.

Of course, longer or more complex passwords do not eliminate the risk of brute-force attacks, in which hackers try all possible combinations of characters to guess the right password. Still, the longer thepassword is, the more time it will take to crack. This fact, combined with an effective auditing policy, should significantly increase the likelihood of detecting the attack.

Look at the numbersIf you're not convinced of the importance of strong passwords, have a look at Table A, which shows the possible combinations of strings that a brute force attack must walk through to guess a password. Let's say that you think a five-character password consisting only of lowercase or uppercase letters will suffice. Given a 26-letter alphabet, the number of five-character substrings is obtained through the following formula, in which the ! symbol denotes the factorial of the number:

26! / (26-5)! * 5!

The table shows how the number of combination changes according to the alphabet and the password length.

Table A

Alphabet Length Combinations to guess
Only lowercase (or uppercase) 26 characters 5
65,780
Only lowercase (or uppercase) 26 characters 6
230,230
Lowercase and uppercase 52 characters 5
2,598,960
Lowercase and uppercase 52 characters 6
20,358,520
Number of combinations

A hacker would probably employ an optimised combinatorial algorithm, making the effective number of attempts even smaller. However, my goal here is to show the order of magnitude by which your password security grows if you only make the password longer or add an extra group of characters.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
123 out of 261 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below:








Related Jobs

Web Developer - C# .Net

Do algorithms make you smile? C++ Developer Edinburgh 30k

DSP, PHY Layer1 Algorithms - NEW DSP Processor