Your mighty user authentication mechanism, which you’ve spent countless hours developing and testing, and is now, theoretically, full-proof, will be rendered useless if you or your users choose to use weak passwords. Hence the need to enforce strong passwords.
Without going into to much explaining, what makes a weak password?
- password is short: the shorter the string, the easier to guess it, and the inherent drop in potential complexity only helps guessing: boob2 is a weak password.
- password contains common words: “dog”, “bread”, “bacon”, “concupiscence”, you name it. If the word can be found in a dictionary, it is a common word. Avoid l33t speak, too.
- password contains special words: the very user name, the name of the website/system where the password is being used
- one (upper or lower) case letters only: this automatically halves the potential complexity of the password string.
- no digits: there are no digits (0-9) in the password string.
- no special characters: there are no special characters (e.g., *^&£:]’) in the password string.
There are other criteria that might reduce the strength of the password, such as repeating characters, but they aren’t nearly as important as the ones above.
A strong password can be defined by “mirroring” the traits of a weak password. Therefore, a strong password:
- is long: ideally, at least 10 characters.
- does not contain common words (or words in general, for that matter), but meaningless character enumerations such as gdkopijlfe (strength 12%).
- does not contain special words (see above).
- contains both upper and lower case letters, i.e. gDkoPijLfe (strength 44%).
- contains digits: i.e., 1gDkoPijLfe9 (strength 86%)
- contains special characters: i.e., 1gD^koPi%jLfe9_ (strength 100%)
Testing password strength
The strength of the above password examples was tested using an online password strength checker. That is a good idea when you’re choosing a password for yourself.
However, you may want to implement a simple (yet effective) password strength checking mechanism for your system, to use in real-time when your users register.
The following concept can be employed, and is easy to code. It involves scoring the password string, based on four criteria. If a criterium is satisfied, score increases, otherwise no point is given. Minimum score is 1, maximum is 4 . There are four possible score values: 1 (very weak), 2 (weak), 3 (fairly strong), and 4 (strong). Give 1 point for each positive answer to the following queries:
- is password length equal or more than 10 characters?
- does password contain both upper and lower case letters?
- does password contain at least one digit?
- does password contain at least one special character?
This way, a password is strong only if it satisfies all four criteria. You can get “fairly strong” with three criteria, but do note that a password shorter than 4 characters cannot possibly meet all the other three criteria. Futhermore, although actual number of occurrences of upper and lower letters, digits and symbols can be secondary (at least one suffices), you should always enforce a suitable minimum length. Otherwise, users get away with, say, aB_5, which is a weak password (strength 32%).
Checking for common words would require the use of a dictionary. That is overkill and unnecessary, because you can
Enforce strong passwords
To enforce strong user passwords:
- use a built-in strength checker as the one described above, and only accept (fairly) strong (score 3 or 4) passwords
- make sure the password does not contain special words (user name, system/website name)
- alternatively, instead of allowing users to choose their password, automatically generate strong passwords for each user
Security matters are annoying from the users’ point of view. Users just want to create an account in seconds, using an ID and password that they can type blind-folded — because they’re engraved in their muscle memory (the result of using the same credentials in all their online activity), and start using your website.
They will definitely not appreciate several error messages on registration telling them they need to put at least one symbol in their password. They are very likely to simply walk away. This is especially true for websites that are just starting, and thus lack notoriety, hence the incentive to register no matter what is almost non-existent.
There are three things to be learned here:
- make sure that your registration form clearly states the password requirements (i.e., “must be at least 6 chars, and contain at least one digit”)
- for low-value systems (such as personal blogs) or systems that only allow for very limited user action (users are not permitted to actually add any significant content, or alter the system itself in any way, etc.), it may be more desirable to loosen the password requirements altogether (i.e. “password must be at least 6 chars long”)
- start with loose password requirements, and, after gaining momentum and an user base, enforce stronger passwords on new users, and force existing users to upgrade theirs