Home > hash > What's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?

What's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?

January 18Hits:1

Some websites, even the StackOverflow asks for atleast 1 digit, 1 uppercase character in the password. Does this really matter when the developer uses a password-hash algorithm to store the passwords in the database?

I am building a project where the security really matters, but the users are stubborn to use weak passwords. I want to motivate them to use strong passwords by using rules that really matter and educating them about the reasons for such requirements.

Is it sufficient to prevent phone numbers, their own name or dictionary words? Why not?


Regardless of hashing, the inherent weakness of passwords is that they are chosen and remember by humans. Humans are not good at such jobs. They will choose and remember passwords from a rather small set of possible passwords, namely words which "make sense" one way or another. An attacker with a computer can try all "plausible passwords" at the speed of his computer, which can be devilishly fast at that job (up to several billions per second with an off-the-shelf gaming PC). This is called a dictionary attack.

Requiring the addition of a digit and a mix of uppercase/lowercase letters is an attempt to force human users to enlarge their set of possible passwords. There are more possible passwords consisting of a meaningful word + one digit, than possible passwords consisting of a meaningful word (exactly ten times as many, actually).

(Such rules often backfire. When asking for an extra digit, most users will add a '1' and add it at the end, which means no enlargement of the set of possible passwords at all; and the extra length incites users to choose a shorter word from a shorter list, thus actually reducing the size of the set of potential passwords.)

Hashing is a second-layer defence system, meant to thwart attackers who could partially breach the server, and got a peak at the database of stored passwords. The size of the set of potential passwords is important regardless of hashing. When the attacker has access to the hashed password, he can just run an offline dictionary attack, where each "try" is just a matter of computing the hash function. This makes the task easier for the attacker (instead of having to talk to the server for each try, which is an online dictionary attack) but it does not change the core concept, which is that users should use passwords from a large set.

Complexity still adds security. @Thomas Pornin is correct in his answer, but I'd like to provide a different way to think about it.

Assume that we are hashing. How resilient to attack is

  1. Upper/lower/special/symbols (about 84 potential values IIRC)?
  2. Upper/lower/numbers (64 symbols)?
  3. Hexadecimal numbers (16 symbols)?
  4. Decimal numbers (10 symbols)?
  5. binary numbers (2 symbols)?

Obviously case #5 is reductio ad absurdium; everyone should accept that 2 symbols are insufficient. We want the symbol set to be as complex as we can make it without imposing an undue penalty on users or other system elements.

There are three primary types of attack that can be done against hashes: brute-force attacks, dictionary attacks, and pre-computation attacks.

Brute-force attacks
A brute-force attack involves selecting a range of characters (e.g. lowercase and numbers) and computing the hash for every single possible permutation of those characters, for a range of password lengths. Each hash is compared against your target hash, and if it matches the password has been found. For example, we might choose a-z A-Z 0-9 as our alphabet for passwords between 5 and 8 characters. Defending against such attacks is reliant on the computational cost of each hash operation, the alphabet needed to successfully attack the password, and the length of the password. Since modern technology allows for GPU-based acceleration of hashing, it is important to use a slow key-derivation function (e.g. PBKDF2 or bcrypt) instead of a single hash.

Dictionary attacks
Dictionary attacks involve running through a large list of pre-chosen words that are likely to be used as passwords. It is important to note that most dictionaries don't just include real dictionary words - they also include various pseudo-words and other values that are found in various database leaks and common password lists. These attacks are more efficient than brute-force attacks in general, because they focus on the kinds of passwords that humans choose rather than completely random values. Defending against such attacks almost entirely relies on not picking a common password or dictionary word.

Pre-computation attacks
Instead of computing hashes repeatedly and comparing them to the target hash, pre-computation attacks involve computing hashes for a set of chosen values (like a dictionary attack) and storing them in a file or database. Hash databases and rainbow tables are two common methods of doing this. This provides a very fast lookup of plaintext for any known hash, since it's just a case of looking up the hash in the index and returning the associated plaintext. This can be defended against by using a salt, i.e. a random value appended to the password before hashing. This makes computing rainbow tables for each possible salt value completely infeasible.

So, why are complicated passwords important? It depends, really. If you're doing password hashing properly, using PBKDF2 or bcrypt with a reasonable cost factor, complexity beyond not using common passwords isn't actually that important. It's more important to avoid dictionary words and common passwords, and complex passwords do usually offer that kind of protection. However, choosing a long and unusual non-dictionary password that is memorable (e.g. PolynomialLovesBacon) works just as well. If you do password hashing incorrectly (e.g. salted SHA1) you need a much stronger password to remain safe, because GPUs can compute tens of billions of hashes per second.

Of course, you're going to have to deal with the human aspects. I think one of the best things you can do is warn users if they use a common password, by storing a list of the ~2000 most common ones (you can get lists of these online) and checking against them. As long as you're properly hashing passwords, most users should be reasonably safe even in the case of a database leak.

Most of these attacks are based on the model of your site being hacked and your passwords stolen, e.g. via SQL injection, so it's important to adhere to secure coding practices and be aware of common vulnerabilities.

Further reading:

Tags:passwords, hash

Related Articles

  • ColdFusion Tutorial: Part I ArticleJanuary 2

    This tutorial series was originally written in 2001, and may be out of date. Since then we've published other ColdFusion tutorials that are more up to date. Here are some newer tutorials you might like to check out: Five Stars! Add a Rating Widget to

  • ColdFusion Tutorial Part IIJanuary 8

    Introduction: If you are reading this now then you should have already read Part I of this article, "ColdFusion Tutorial Part I – Database Integration" If you haven't read Part I yet I suggest you do so as otherwise you may be unfamiliar with wh

  • Ever Wondered What Your Users Looked at First?February 5

    Text-centric commercial websites are taking a pounding this year, with layoffs and closures affecting even the giants as advertising revenue streams slow. One result of this revenue squeeze shows in such widely read information sites as Forbes.com, T

  • Backing Up Your DatabaseFebruary 8

    The Internet is currently seeing a transition from static sites with little interactivity to dynamic sites being generated from databases, with tools such as forums, free e-mail and other web-based applications being used to lure visitors back. So it

  • 4 Simple Steps to Coloring your WWWorld!February 26

    Color. The human eye can discern over 16 million different shades of it. I know this fact because just last week I had the opportunity to count each and every one of them on an AOL hometown page I was enjoying. Bless their little hearts, they certain

  • Looking Beyond Netscape and Internet ExplorerFebruary 28

    When people talk about Internet Browsers, you immediately assume that they are referring to either Internet Explorer or Netscape Navigator. However, there are many other "alternative" browsers that deserve a second glance. In this article I am g

  • The Perl Tutorial: What's Perl?March 15

    Perl is short for Practical Extraction and Report Language. It's a language that is available free over the Web, and it's used for a variety of things, from writing CGI scripts to assisting administrators in maintaining their systems. Perl was create

  • Getting Started with ASP

    Getting Started with ASPMarch 27

    The Web has grown beyond the point where an online brochure will satisfy a typical company's needs for its Web presence. If you aim to market yourself as a Webmaster these days, you need to have some skill building online applications â€" Web sites t

  • Climbing out of the Tar Pits: Time ManagementMarch 27

    In ancient times, there were tar pits scattered around the world. In fact in Southern California, where I live, there is a group of them in La Brea that is still a popular tourist attraction. The tar pits were the bane of prehistoric man and animals.

  • Java Language Basics ArticleApril 11

    Java is a powerful, cross-platform, object-oriented programming language suitable for writing anything from a distributed application that runs on a corporate network to a database-driven Web site to host your personal photo gallery. To make it easie

  • Object Oriented Concepts in Java - Part 1

    Object Oriented Concepts in Java - Part 1May 11

    A strong grounding in Java allows a developer to do more in less time than he or she could do using any other single programming language out there today. With Java, you can build complete applications featuring everything from accelerated 3D graphic

  • WebHosting Bandwidth - An IntroductionMay 14

    When choosing a host, the amount of bandwidth you purchase can be crucial to the success of your site. Generally speaking, the more bandwidth you have, the more traffic your site will be able to handle at one time. How much bandwidth do I need? To de

  • Optimizing your MySQL Application

    Optimizing your MySQL ApplicationMay 21

    So you've finished reading Kevin Yank's article Building a Database-Driven Web Site Using PHP and MySQL, and you're happily databasing your site, when it starts to slow down. You need to get your site zipping along again before your host threatens to

  • General Public License, ExplainedMay 23

    An attorney's cure for corporate's unreasonable fear of Open Source infection: the truth. Whether you are an Open Source software provider, corporate IT manager making hard decisions about new Linux deployments, or attorney advising your client wheth

  • Handling Submitted Data with ASP

    Handling Submitted Data with ASPMay 25

    There are two main reasons why developers are keen to build Web sites with Active Server Pages (ASP): It adds interactivity without exposing your code to scrutiny â€" whether for security reasons or to protect your intellectual property â€" as J

  • Review - Wildform Flix 1.52June 15

    Flix 1.52 is the latest version of Wildform's custom video encoder for Flash. From the company mainly recognized for the excellent SWfX text effects product, Wildform's Flix is the first program designed to bring digital video into Flash presentation

  • Inspiration - Break the Block!June 28

    "Might as well as get a real job." "Who am I kidding to think people would pay me to do this for a living?" "That's it! I give up! This is impossible!" If, in your career, hobby, or life as a Web designer/Webmaster/freelancer

  • JavaScript 101 - Part 3

    JavaScript 101 - Part 3June 28

    In the first two parts of this introductory series on JavaScript, we explored the general elements that make up the language, and put them to some practical, if simple uses. The unfortunate reality of these examples, however, has been that they could

  • More Traffic in 24 Hours! Part 2July 3

    Yesterday, we looked at 12 ways to improve traffic and sales on your Website. Today I'll provide you with another 12 key ways to boost your site's success with minimal time and effort. 13. Acquire Testimonials Ask for testimonials in your emails, sit

  • ASP Sessions and Applications

    ASP Sessions and ApplicationsJuly 6

    The most powerful aspect of server-side scripting languages such as ASP is their almost magical ability to turn the Web â€" a medium originally crafted to serve one static document after another – into a platform that delivers rich, interactive exper

Copyright (C) 2018 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.534 s.