We help IT Professionals succeed at work.

at least  x number of characters on password input requriement

duncanb7
duncanb7 asked
on
438 Views
Last Modified: 2014-01-12
Dear Expect,

after solving the SQL I issue ,https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28335484.html

 now I have one more question on
password requirement for user to register on my site.

What is the "at least x number of character on password" I need to set.

For example, there is a-z , A-Z, 0-9, , ','','#'$'......etc... around 70 characters for one character of password input so  if  where x is 3, the combination is 70*70*70=343000, right ?

x is 3  that is safe enough for security issue, right ?  

Duncan
Comment
Watch Question

It will depend on what kind of attack are you considering.

If you will allow unlimited tries without blocking the user for some time, it will be easily breackable. You will want to add some limits there, so the attacker will need more time than is feasible or reazonable for your scenario.

You should also consider server side protection, using salted hashes, to protect the password on the case someone gets into your server.

This article written by another expert is quite good on password security:
https://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html

Please take a look on this thread where the server side and password transport scenarios were discussed too:
https://www.experts-exchange.com/Security/Vulnerabilities/Q_28304955.html

Author

Commented:
thanks Cristian Moecke, I will read it,but  I need  at least x, where x is one day  since there is a lot technical terms I need to understand it.

Duncan
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011
Author of the Year 2014

Commented:
You're not the first to have this question.  Please read the entire article here.  It will tell you what you need to understand PHP client authentication.  In the instant case about the passwords, be sure to read the part (including the links) under An Afterword: About Storing Passwords
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

Author

Commented:
cristiantm and Ray, thanks for your reply.

it seems the answer to this question is  where at least x is as long as possible, Right ?

And if I try to increase the time for the user to complete the login process that will help
to improve to prevent the attack, Right ? since the attacker need more time or cost to do every  access guess, for example,  doing one time of login page access by adding idle time of 30  seconds in the login php page,  if so, 1-million guess needs 1-million*30 second =342 days.

I understand that is not prefect  and it will delay the user to login my site, but
at least it will be better  than login page with just 300ms completion time.

Please advise

Duncan

Author

Commented:
http://password-checker.online-domain-tools.com/

this link might answer  my question , and it not allows user to use its page
10 times per hour and 80 times in one day

If my login php page will check the user 's number of time to do login access in one
hour or one day , for example,just allow them to run login.php only 80 time in one day ,
 that strategic will solve all computer auto access guess by brutal-attack completely , Right ?

Duncan
Most Valuable Expert 2011
Author of the Year 2014

Commented:
The subject of Information Systems Security is a full time four year college major at the University of Maryland, and choosing the password scheme is about 1 day of that curriculum.  Did you read the ArsTechnica article?  It doesn't matter what you do!  Anyone who is determined to break your passwords is going to be able to do it (and that includes the NSA).  Anyone who wants to mount a brute-force attack will be able to do it.  And if you try to defend against attacks by locking up your server, all you will accomplish is a giant frustration for your legitimate clients.  Don't do that.

The password-checker at online-domain-tools looks like it might have been right in about 1996, but today most password-decipher algorithms are computationally trivial.  All that stuff about "2 million years" to break a password is just nonsense.  Don't believe it.

You've heard of the Target Stores breach, right?  110 million clients have had their credit card numbers exposed, along with their names, addresses, pin numbers, CVV codes, expiration dates and perhaps other information.  This did not happen by accident, and it did not occur because Target used a deficient password hash.  Security is a wide and deep subject, constantly changing.  Password-related algorithms are the least of your concerns.  Edward Snowden is the poster child for information systems security.  The greatest threat is not someone who is trying to hack your passwords.  It's someone you trust.  If you put your web application on a computer that can be administered by a single individual, your password scheme won't matter at all.  You'll fail the first question on the security audit!

Executive summary: use well-salted strings for password storage.  It doesn't matter whether you use md5() or sha() functions to encrypt because only the novice hackers will be stopped; the others will break the passwords, it's only a matter of time.  

You might think about using a CAPTCHA test at the time of registration because that's when most of the script-kiddie attacks occur, then once they are registered they post V1AGRA advertisements into your web site.  This article can help you understand and implement CAPTCHA.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html

Good luck with your project and don't waste too much time on this one little slice, ~Ray

Author

Commented:
After reading your post,   whether limit user to  access login.php in certain number of
time in day that will help on password or login security or not ?  Do I need to implement it
on my login.php page ?

Duncan
Most Valuable Expert 2011
Author of the Year 2014
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks for all of your reply, Ray, I will read it and take your advise

have a nice day

Ducan
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Thanks for the points, and best of luck with your project!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.