October 7, 2016 level13 No comments

Are your forms discouraging secure passwords?

I signed up for an account on a website today, nothing unusual about that but the signup form highlighted something of a problem – password restriction. I had attempted to signup with a password of 20 characters and I got back an error telling me the password field is limited to 12 characters. Say whaaaaat? So let me get this straight, you’re going to force me to use a less secure password because your form and presumably database storage can’t cope with a password longer than 12 characters. Oh boy. Several alarm bells are ringing and I haven’t even gotten to the part whereupon having completed my signup, I was informed I would receive a copy of my username and password via email. Let’s break this down:

Password length

I’m going to use howsecureismypassword.net to demonstrate how longer passwords are more secure. Enter a password into howsecureismypassword.net and it tells you how long a computer would take to crack it.

Password length: 1 Password: a Results: 7 HUNDRED PICOSECONDS
Password length: 2 Password: aj Results: 17 NANOSECONDS Entropy: 4.6 bits
Password length: 3 Password: ajl Results: 4 HUNDRED NANOSECONDS Entropy: 9.2 bits
Password length: 4 Password: ajlb Results: 11 MICROSECONDS Entropy: 13.8 bits
Password length: 5 Password: ajlbo Results: 3 HUNDRED MICROSECONDS Entropy: 17.7 bits
Password length: 6 Password: ajlbot Results: 8 MILLISECONDS Entropy: 21.9 bits
Password length: 7 Password: ajlbotd Results: 2 HUNDRED MILLISECONDS Entropy: 26.6 bits
Password length: 8 Password: ajlbotds Results: 5 SECONDS Entropy: 31 bits
Password length: 9 Password: ajlbotdsg Results: 2 MINUTES Entropy: 35.6 bits
Password length: 10 Password: ajlbotdsgp Results: 59 MINUTES Entropy: 40.3 bits
Password length: 11 Password: ajlbotdsgpm Results: 1 DAY Entropy: 45 bits
Password length: 12 Password: ajlbotdsgpmt Results: 4 WEEKS Entropy: 49.6 bits
Password length: 13 Password: ajlbotdsgpmtf Results: 2 YEARS Entropy: 54.3 bits
Password length: 14 Password: ajlbotdsgpmtfu Results: 51 YEARS Entropy: 58.4 bits
Password length: 15 Password: ajlbotdsgpmtfuy Results: 1 THOUSAND YEARS Entropy: 63.1 bits
Password length: 16 Password: ajlbotdsgpmtfuye Results: 35 THOUSAND YEARS Entropy: 67.5 bits
Password length: 17 Password: ajlbotdsgpmtfuyew Results: 898 THOUSAND YEARS Entropy: 72.1 bits
Password length: 18 Password: ajlbotdsgpmtfuyewh Results: 23 MILLION YEARS Entropy: 76.6 bits
Password length: 19 Password: ajlbotdsgpmtfuyewhk Results: 607 MILLION YEARS Entropy: 81.3 bits
Password length: 20 Password: ajlbotdsgpmtfuyewhkp Results: 16 BILLION YEARS Entropy: 85.9 bits

In this example, I’ve just used random letters all in lowercase and you can see how the length of time to crack the password grows with every additional character. I’ve also included the entropy of each password and suggest you read this blog post to understand what this means but in terms of passwords, it’s a measure of how many trials a hacker would need, on average, to guess it to guess it correctly. In other words, the higher the entropy, the harder a password is to crack.

Password storage

I have to wonder if the storage of the password, and I’m going to assume here that it’s in a database like MySQL, is also restricted. If the password field in MySQL is let’s say a VARCHAR(30) then it should be fine for storing a 12 length password but only if the password is stored as is, that is, in plain text. A quick note on VARCHAR, I chose the size of 30 as it’s not the number of characters it stores but the number of bytes. For example, ASCII uses 1 byte per character, utf8 uses 3 bytes per character, and utf8mb4 uses 4 bytes per character.

I shouldn’t really have to point out what’s wrong with storing passwords in plain text, there’s been more than enough examples of high profile websites being hacked and passwords leaked online for anyone to see the potential problem. I would hope that any website that stores passwords encrypts them with at least one way encryption and a dash of salt (this adds a string of random characters to the beginning or end of a password before it is hashed). Now I did mention that this website said they would send me my username and password via email for ‘safe keeping’. It is possible that they construct the email from the values posted from the form and then hash the password, but it is also possible that they retrieve those details from their database which means they’re not secured.

Any website that stores users’ passwords should take their password policy and storage methods seriously. I use a password manager to create and store unique passwords for every website I use so to have one password hacked means they’d only gain access to that one website. Still not great though as the situation shouldn’t arise in the first place. It also brings me onto another gripe – don’t disable copy and paste functions on password fields! It makes life hard for anyone trying to copy and/or paste to and from a password manager program. I don’t understand why anyone would make life harder for a user by forcing them to type in their super secure 30 length password instead of letting them paste it in. We need to be encouraging users to use secure passwords and password managers not the opposite.

Leave a Reply

Your email address will not be published. Required fields are marked *