Password validation and strength detection

[Tauren Mills <ta...@groovee.com>]

This is slightly off-topic, but since most of the users on this list deal
with security, I thought someone might be able to help. I'm looking for a
smart password validation implementation to draw inspiration from. Even
better if it calculates password strength.

I'm not expecting it to perfectly meet my needs, so it doesn't need to be a
packaged jar file or anything. I'm just looking for some code that does some
intelligent password checks, perhaps including length, presence of
upper/lowercase letter, presence of alpha and numeric characters, presence
of symbols, dictionary checks, and so forth. I don't want to make something
too restrictive that my users have to write their password on something to
remember it, but I do want to rule out stupid passwords like "password",
"pass1234", etc.

I'm using Hibernate Validator, and am building a custom ConstraintValidator
to verify that the supplied password is deemed "strong" enough. So the
validator will calculate a "password strength" of 0 to 100% and return valid
if the strength X% or higher (maybe 80%?). If the password is lower, then
the validator fails and it returns the calculated strength in the
ConstraintViolation object so it could be used by my UI.

I'm implementing something simple right now, but if any useful code exists,
it would be nice to check it out.

Thanks in advance!
Tauren

Re: Password validation and strength detection

[Tauren Mills <ta...@groovee.com>]

Agreed 100%

Speed is the main reason I didn't include dictionary tests. But if Shiro
made this stuff easy and fast, I certainly would have!

Tauren
 On Feb 16, 2011 8:02 AM, "Les Hazlewood" <lh...@apache.org> wrote:
> Nice! Thanks for the pointers Tauren.
>
> It's good that they have dictionary search capability. In my
> (cursory) research, this is the only way to have decent strength
> verification. You can come up with mathematical models representing #
> of combinations of characters and such, but all of the ones I've seen
> publicly available at least fail with simple 'L33T'-speak words.
>
> For example, @dm1nP@sSw0rd! is a 14-character word, almost double the
> usual 8 character minimum, and it contains letters, numbers,
> punctuation and symbols. However something like this would easily
> succumb to a password cracker.
>
> Something needs to be created that can transform things like this back
> to 'real' words, and then run those through a dictionary search. Not
> easy stuff when you need to ensure the check is fast...
>
> Cheers,
>
> Les

Re: Password validation and strength detection

[Les Hazlewood <lh...@apache.org>]

Nice!  Thanks for the pointers Tauren.

It's good that they have dictionary search capability.  In my
(cursory) research, this is the only way to have decent strength
verification.  You can come up with mathematical models representing #
of combinations of characters and such, but all of the ones I've seen
publicly available at least fail with simple 'L33T'-speak words.

For example, @dm1nP@sSw0rd! is a 14-character word, almost double the
usual 8 character minimum, and it contains letters, numbers,
punctuation and symbols.  However something like this would easily
succumb to a password cracker.

Something needs to be created that can transform things like this back
to 'real' words, and then run those through a dictionary search.  Not
easy stuff when you need to ensure the check is fast...

Cheers,

Les

Re: Password validation and strength detection

[Tauren Mills <ta...@groovee.com>]

Ah, yes you're right! Just the VT webapps are GPLv3, not the java libraries.
Good to know...


On Tue, Feb 15, 2011 at 11:56 PM, Luis Arias <ka...@gmail.com> wrote:

> It looks like these are dual licensed LGPL and Apache 2 not GPL3v3.
> Interesting!
>
> Luis
>
> On Wed, Feb 16, 2011 at 4:01 AM, Tauren Mills <ta...@groovee.com> wrote:
> > Les,
> > Thanks for the great advice! I'll check out the passpack UI for ideas. I
> > only saw the picture of it on the home page so far, but I get the
> concept.
> > I was also going to respond to this thread about a Java library from
> > Virginia Tech that I located. It really simplifies password validation.
> I've
> > already integrated it into my application and am having no issues with
> it.
> >  You may wish to check it out, as it could be inspirational:
> > http://code.google.com/p/vt-middleware/wiki/vtpassword
> > They also have a vtdictionary package so that passwords can be tested
> > against various dictionaries with lots of various options. I'm not using
> > this feature yet.
> > http://code.google.com/p/vt-middleware/wiki/vtdictionary
> > The VT packages are licensed using GPL3v3, so I'm not sure how compatible
> > they are with Shiro's Apache license.
> ...
>

Re: Password validation and strength detection

[Luis Arias <ka...@gmail.com>]

It looks like these are dual licensed LGPL and Apache 2 not GPL3v3.
Interesting!

Luis

On Wed, Feb 16, 2011 at 4:01 AM, Tauren Mills <ta...@groovee.com> wrote:
> Les,
> Thanks for the great advice! I'll check out the passpack UI for ideas. I
> only saw the picture of it on the home page so far, but I get the concept.
> I was also going to respond to this thread about a Java library from
> Virginia Tech that I located. It really simplifies password validation. I've
> already integrated it into my application and am having no issues with it.
>  You may wish to check it out, as it could be inspirational:
> http://code.google.com/p/vt-middleware/wiki/vtpassword
> They also have a vtdictionary package so that passwords can be tested
> against various dictionaries with lots of various options. I'm not using
> this feature yet.
> http://code.google.com/p/vt-middleware/wiki/vtdictionary
> The VT packages are licensed using GPL3v3, so I'm not sure how compatible
> they are with Shiro's Apache license.
...

Re: Password validation and strength detection

[Tauren Mills <ta...@groovee.com>]

Les,

Thanks for the great advice! I'll check out the passpack UI for ideas. I
only saw the picture of it on the home page so far, but I get the concept.

I was also going to respond to this thread about a Java library from
Virginia Tech that I located. It really simplifies password validation. I've
already integrated it into my application and am having no issues with it.
 You may wish to check it out, as it could be inspirational:
http://code.google.com/p/vt-middleware/wiki/vtpassword

They also have a vtdictionary package so that passwords can be tested
against various dictionaries with lots of various options. I'm not using
this feature yet.
http://code.google.com/p/vt-middleware/wiki/vtdictionary

The VT packages are licensed using GPL3v3, so I'm not sure how compatible
they are with Shiro's Apache license. Also, the library does nothing to help
with setting weights on different criteria for doing any sort of password
strength calculation. I'm thinking the classes could be subclassed to
include weights and perform strength tests, but I really haven't thought
about it much. At the moment, I've decided to skip a strength meter,
although at some point I'd really like to implement one.

When it comes to password, I'm of the mindset that they shouldn't be so
restrictive that users cannot remember them. The system needs to be somewhat
lenient or users will write them on stickies and things will be even less
secure. But running passwords through some basic tests and having some
requirements such at least one or two uppercase letters, numbers, or symbols
is good. I'd even be inclined to run the password through some sort of
cracklib-like dictionary test to see if it easily fails.

I would certainly like to see a PasswordService be part of Shiro. Perhaps
some ideas could be borrowed from the VT library to get it started?

Thanks again,
Tauren


On Tue, Feb 15, 2011 at 6:01 PM, Les Hazlewood <lh...@apache.org>wrote:

> Hi Tauren,
>
> I don't have any code for this, but one example I'm happy with that I
> think is an 'ideal' to base code upon is Passpack's
> (http://www.passpack.com) password functionality.  Passpack is an
> online password manager that allows you to create (and maintain) very
> complex passwords without having to remember them  (side note:  I'm
> not affiliated in any way with Passpack - I'm just a happy end-user).
>
> Unfortunately they don't make their strength indicator algorithms
> available, but I suggest that you take a look at their UI for ideas.
>
> Anyway, when generating a password, you can choose 1 or more character
> groups (lowercase chars, uppercase chars, punctuation, etc) and a
> length.
>
> Based on the number of character groups you've chosen and the length
> you've specified, their strength indicator changes color (red:bad ->
> yellow:ok -> green:good).  To me, this is much nicer and easier to
> manage than depending upon, say, some crazy regular expression.
>
> I would venture that creating an algorithm based on length + # of
> character groups wouldn't be too hard.  I'd _love_ for this to be in
> Shiro - perhaps encapsulating these kinds of checks plus some help
> with hashing passwords.  Perhaps a new PasswordService?
>
> Anyway, I'll probably need to support something like this myself in
> the not too distant future, so I'd be happy to collaborate with anyone
> if they have any ideas.  Of course, patches to Shiro are very welcome!
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
> P.S.  We are also using Hibernate Validator at Katasoft as the
> implementation supporting JSR-303 bean validation annotations. (Note
> to those not familiar with it - it does not require Hibernate for
> persistence - it is a separate project by the Hibernate team).  I've
> really enjoyed using it - especially since Spring supports it!
>

Re: Password validation and strength detection

[Les Hazlewood <lh...@apache.org>]

Hi Tauren,

I don't have any code for this, but one example I'm happy with that I
think is an 'ideal' to base code upon is Passpack's
(http://www.passpack.com) password functionality.  Passpack is an
online password manager that allows you to create (and maintain) very
complex passwords without having to remember them  (side note:  I'm
not affiliated in any way with Passpack - I'm just a happy end-user).

Unfortunately they don't make their strength indicator algorithms
available, but I suggest that you take a look at their UI for ideas.

Anyway, when generating a password, you can choose 1 or more character
groups (lowercase chars, uppercase chars, punctuation, etc) and a
length.

Based on the number of character groups you've chosen and the length
you've specified, their strength indicator changes color (red:bad ->
yellow:ok -> green:good).  To me, this is much nicer and easier to
manage than depending upon, say, some crazy regular expression.

I would venture that creating an algorithm based on length + # of
character groups wouldn't be too hard.  I'd _love_ for this to be in
Shiro - perhaps encapsulating these kinds of checks plus some help
with hashing passwords.  Perhaps a new PasswordService?

Anyway, I'll probably need to support something like this myself in
the not too distant future, so I'd be happy to collaborate with anyone
if they have any ideas.  Of course, patches to Shiro are very welcome!

Cheers,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

P.S.  We are also using Hibernate Validator at Katasoft as the
implementation supporting JSR-303 bean validation annotations. (Note
to those not familiar with it - it does not require Hibernate for
persistence - it is a separate project by the Hibernate team).  I've
really enjoyed using it - especially since Spring supports it!