Jump to content

best way to secure password

mostafatalebi

By mostafatalebi
in PHP Coding Help

 Share

Recommended Posts

mostafatalebi Regular Member

mostafatalebi

Posted
Posted

What is the best way to secure passwords, so that the hacking programs could not fetch it through rainbow table-matching ? I have read that all rainbow tables are length-limited, for instance 14 character limitation imposed. Is this true?

 

is the combination, crypt() + md5() + a prefix added to each password to increase the length of password, enough to add more security?

Link to comment
https://forums.phpfreaks.com/topic/275178-best-way-to-secure-password/
Share on other sites
teynon Member

teynon

Posted
Posted

Tell me which password would be harder to guess:

 

smallpassword

areallylongpasswordwithlotsofoptions

 

Now, what really makes the passwords secure is a user picking a complex password. If I remember correctly (could be wrong), rainbow tables use a guess and check style approach. If all the passwords in the database are simple passwords like "mypassword",  then the database will be vulnerable.

 

Your best option is to make sure that your users have strong passwords. For example, requiring their password be at least 8 characters, consisting of numbers, letters, and special characters. How far you run with that approach is up to you.

teynon Member

teynon

Posted
Posted (edited)

While this is an entertaining comic, it's not necessarily accurate to real word scenarios. http://en.wikipedia.org/wiki/Password_strength

 

The point here is that more complex passwords secure against common passwords being guessed. As far as I know, there is no way to 100% secure against rainbow tables (except securing your database so that no one can download it) and simple passwords are likely to open up your entire database as they will probably be found first. Once they find one, they can typically find them all. Consider a database containing passwords with no complexity restrictions. It would likely be filled with these types of passwords: (http://www.cbsnews.com/8301-205_162-57539366/the-25-most-common-passwords-of-2012/) If I had access to a database with no restrictions on the password, I would go off of that list first and try those. If there is a password in there like those ones, it would likely be a very quick decoding of the passwords.

Edited by teynon
Jessica Advanced Member

Jessica

Posted
Posted (edited)

Your argument has nothing to do with the point made by the comic. (Edit: in fact the wiki page you linked to only makes the comic's point. http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)*

 

A password of 4 random english words is MORE COMPLEX than an 8 character one with 4-5 rules, by virtue of it's length.

 

My passwords are typically 50 characters+, and I can remember them. They contain only letters and punctuation. You cannot guess or brute force them.

 

You can force your users to use something stronger than password. If they're the type of person who would, they'll likely go with Password1 or end up writing it down. You can't make your users be smarter. You can however lock the account after 3-5 wrong guesses so someone can't brute force their password.

 

 

 

 

*It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker's task twice as difficult. On average, an attacker will have to try half the possible passwords before finding the correct one.[2]

Edited by Jessica
teynon Member

teynon

Posted
Posted (edited)

Usually the rainbow tables will take effect after they've already compromised your database. Yes, you should always prevent multiple failed login attempts. You will always have users who use the shortest password they can think of. Requiring the user to use other symbols and numbers forces them to increase the complexity of their password. They often still want the passwords because that will enable them to access the website and any other website the user might be using the same password on.

 

I should probably clarify that I was pointing out the relevance to the rainbow tables in the original question. Perhaps we are arguing the same point, whereas I thought you were arguing against the user restrictions.

Edited by teynon
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.