Security of Passwords
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
zephaneas wrote:
and I want to do it right.
Then educate them that the criteria is not safe.
zephaneas wrote:
Here's what he asked for in his email
The criteria allows for most of the actual words on the following list. http://www.zdnet.com/blog/security/25-most-used-passwords-revealed-is-yours-one-of-them/12427[^]
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
I too think the client is talking through the wrong end of his body, but hey, you give the man what he wants, not what he needs. Regex is the way to go, even if it causes you a little pain right now. Grab a copy of Expresso[^], the best free Regex tool on the planet*, and go to work. You will need to clarify the requirements a bit - min/max length, allowed character set, etc, as well as the client's rules (
eeandooallowed but notttseems a bit silly...) Expresso allows you to build a regex incrementally, and it provides a tree-like view of what each little bit means, as well as testing as you go. Your regex may not fit on one line, but it'll probably fit in a tweet. ;P If you can get your client to provide you two lists - good and bad passwords - then you can run them as tests in Expresso. If you get stuck along the way, post a question in the Regular Expressions forum[^]. * disclaimer: I have no connection to Expresso other than as a very satisfied user. Cheers, PeterSoftware rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
I too think the client is talking through the wrong end of his body, but hey, you give the man what he wants, not what he needs. Regex is the way to go, even if it causes you a little pain right now. Grab a copy of Expresso[^], the best free Regex tool on the planet*, and go to work. You will need to clarify the requirements a bit - min/max length, allowed character set, etc, as well as the client's rules (
eeandooallowed but notttseems a bit silly...) Expresso allows you to build a regex incrementally, and it provides a tree-like view of what each little bit means, as well as testing as you go. Your regex may not fit on one line, but it'll probably fit in a tweet. ;P If you can get your client to provide you two lists - good and bad passwords - then you can run them as tests in Expresso. If you get stuck along the way, post a question in the Regular Expressions forum[^]. * disclaimer: I have no connection to Expresso other than as a very satisfied user. Cheers, PeterSoftware rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
I've used Expresso in the past and it is a great tool to have around.
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
zephaneas wrote:
little unsure how to move ahead on this
You should recommend to your client the criteria he has given you will not make the passwords strong at all and advise him that more strength is a good idea.
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
If a customer comes up with such ideas, try shortly to inform him on good practices. If he seems reluctant to realize the difference, give him what he insists to get. And since new user registrations / password changes happen not so often, do not care for highest performance. Naive approaches are good enough. Create character arrays for vowels and consonants, e.g.
char[] vowels = "AaEeIiOoUu".ToCharArray();, and condition A can be checked with the "IndexOfAny" method of string. If the password is longer than 1 character (oh yes, "a" is a safe password for your customer...), check B and C by looping thru the characters of the password - you can access each character by the indexer, e.g.char c = password[0];. -
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
Those are really bad criteria, particularly as there's no length requirements in there which are the one thing that really makes a difference. "This is my password" is a much more secure one than "Ql5'J". I don't think you can do C with a regex so you probably want to traverse the string yourself anyway, which makes A trivial and B rather easy.
-
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
He wants you to use best practices, but his own "requirements" violate best practices for passwords. I think you need to write a reply to the email, not code.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak -
He wants you to use best practices, but his own "requirements" violate best practices for passwords. I think you need to write a reply to the email, not code.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak -
I have a question on password security. This is a requirement from a client, and I want to do it right. Here's the requirements: 1) The code needs to use best practices and in a way that will perform well, scale well under load. This isn't that big of a deal for me. I write pretty good code. 2) Here's what he asked for in his email
A) It must contain at least one vowel.
B) It cannot contain three consecutive vowels or three consecutive consonants.
C) It cannot contain two consecutive occurrences of the same letter, except for 'ee' or 'oo'.My problems is that I think I could use RegEx for this, but I suck at RegEx. I'v always hated it becuase it seems so cryptic. I don't have a problem working through the problem, or coding it - my problem is knowing where to go with this. 1) Is RegEx the answer? 2) Would you use another technique? Which one? 3) Anything in the .Net class libs that I can use? Summaary is, I'm al little unsure how to move ahead on this, so any input I get would be great. Thanks
zephaneas wrote:
A) It must contain at least one vowel.
So, a password of a is enough to satisfy the criteria. As others have said, he needs to be educated as to best practices (e.g. use of symbols, minimum length, etc). To answer the question though - I wouldn't use RegEx for something like this. You may get a working regular expression, but it will be tied to these requirements. If the criteria expands, you'll have to revisit the regex, and you may find that the solution is no longer valid. A fairly elegant solution would be to use the Visitor Pattern[^]. With this, you can add new rules without affecting the underlying logic, simply by adding new visitors.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier