asked on
at least x number of characters on password input requriement
Dear Expect,
after solving the SQL I issue ,https://www.experts-exchange.com/questions/28335484/Sql-injection-in-php-limit-my-password-requirement-on-register-page.html
now I have one more question on
password requirement for user to register on my site.
What is the "at least x number of character on password" I need to set.
For example, there is a-z , A-Z, 0-9, , ','','#'$'......etc... around 70 characters for one character of password input so if where x is 3, the combination is 70*70*70=343000, right ?
x is 3 that is safe enough for security issue, right ?
Duncan
after solving the SQL I issue ,https://www.experts-exchange.com/questions/28335484/Sql-injection-in-php-limit-my-password-requirement-on-register-page.html
now I have one more question on
password requirement for user to register on my site.
What is the "at least x number of character on password" I need to set.
For example, there is a-z , A-Z, 0-9, , ','','#'$'......etc... around 70 characters for one character of password input so if where x is 3, the combination is 70*70*70=343000, right ?
x is 3 that is safe enough for security issue, right ?
Duncan
PHPMySQL Server
Last Comment
Ray Paseur
ASKER
thanks Cristian Moecke, I will read it,but I need at least x, where x is one day since there is a lot technical terms I need to understand it.
Duncan
Duncan
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You're not the first to have this question. Please read the entire article here. It will tell you what you need to understand PHP client authentication. In the instant case about the passwords, be sure to read the part (including the links) under An Afterword: About Storing Passwords
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
ASKER
cristiantm and Ray, thanks for your reply.
it seems the answer to this question is where at least x is as long as possible, Right ?
And if I try to increase the time for the user to complete the login process that will help
to improve to prevent the attack, Right ? since the attacker need more time or cost to do every access guess, for example, doing one time of login page access by adding idle time of 30 seconds in the login php page, if so, 1-million guess needs 1-million*30 second =342 days.
I understand that is not prefect and it will delay the user to login my site, but
at least it will be better than login page with just 300ms completion time.
Please advise
Duncan
it seems the answer to this question is where at least x is as long as possible, Right ?
And if I try to increase the time for the user to complete the login process that will help
to improve to prevent the attack, Right ? since the attacker need more time or cost to do every access guess, for example, doing one time of login page access by adding idle time of 30 seconds in the login php page, if so, 1-million guess needs 1-million*30 second =342 days.
I understand that is not prefect and it will delay the user to login my site, but
at least it will be better than login page with just 300ms completion time.
Please advise
Duncan
ASKER
http://password-checker.online-domain-tools.com/
this link might answer my question , and it not allows user to use its page
10 times per hour and 80 times in one day
If my login php page will check the user 's number of time to do login access in one
hour or one day , for example,just allow them to run login.php only 80 time in one day ,
that strategic will solve all computer auto access guess by brutal-attack completely , Right ?
Duncan
this link might answer my question , and it not allows user to use its page
10 times per hour and 80 times in one day
If my login php page will check the user 's number of time to do login access in one
hour or one day , for example,just allow them to run login.php only 80 time in one day ,
that strategic will solve all computer auto access guess by brutal-attack completely , Right ?
Duncan
The subject of Information Systems Security is a full time four year college major at the University of Maryland, and choosing the password scheme is about 1 day of that curriculum. Did you read the ArsTechnica article? It doesn't matter what you do! Anyone who is determined to break your passwords is going to be able to do it (and that includes the NSA). Anyone who wants to mount a brute-force attack will be able to do it. And if you try to defend against attacks by locking up your server, all you will accomplish is a giant frustration for your legitimate clients. Don't do that.
The password-checker at online-domain-tools looks like it might have been right in about 1996, but today most password-decipher algorithms are computationally trivial. All that stuff about "2 million years" to break a password is just nonsense. Don't believe it.
You've heard of the Target Stores breach, right? 110 million clients have had their credit card numbers exposed, along with their names, addresses, pin numbers, CVV codes, expiration dates and perhaps other information. This did not happen by accident, and it did not occur because Target used a deficient password hash. Security is a wide and deep subject, constantly changing. Password-related algorithms are the least of your concerns. Edward Snowden is the poster child for information systems security. The greatest threat is not someone who is trying to hack your passwords. It's someone you trust. If you put your web application on a computer that can be administered by a single individual, your password scheme won't matter at all. You'll fail the first question on the security audit!
Executive summary: use well-salted strings for password storage. It doesn't matter whether you use md5() or sha() functions to encrypt because only the novice hackers will be stopped; the others will break the passwords, it's only a matter of time.
You might think about using a CAPTCHA test at the time of registration because that's when most of the script-kiddie attacks occur, then once they are registered they post V1AGRA advertisements into your web site. This article can help you understand and implement CAPTCHA.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
Good luck with your project and don't waste too much time on this one little slice, ~Ray
The password-checker at online-domain-tools looks like it might have been right in about 1996, but today most password-decipher algorithms are computationally trivial. All that stuff about "2 million years" to break a password is just nonsense. Don't believe it.
You've heard of the Target Stores breach, right? 110 million clients have had their credit card numbers exposed, along with their names, addresses, pin numbers, CVV codes, expiration dates and perhaps other information. This did not happen by accident, and it did not occur because Target used a deficient password hash. Security is a wide and deep subject, constantly changing. Password-related algorithms are the least of your concerns. Edward Snowden is the poster child for information systems security. The greatest threat is not someone who is trying to hack your passwords. It's someone you trust. If you put your web application on a computer that can be administered by a single individual, your password scheme won't matter at all. You'll fail the first question on the security audit!
Executive summary: use well-salted strings for password storage. It doesn't matter whether you use md5() or sha() functions to encrypt because only the novice hackers will be stopped; the others will break the passwords, it's only a matter of time.
You might think about using a CAPTCHA test at the time of registration because that's when most of the script-kiddie attacks occur, then once they are registered they post V1AGRA advertisements into your web site. This article can help you understand and implement CAPTCHA.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
Good luck with your project and don't waste too much time on this one little slice, ~Ray
ASKER
After reading your post, whether limit user to access login.php in certain number of
time in day that will help on password or login security or not ? Do I need to implement it
on my login.php page ?
Duncan
time in day that will help on password or login security or not ? Do I need to implement it
on my login.php page ?
Duncan
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks for all of your reply, Ray, I will read it and take your advise
have a nice day
Ducan
have a nice day
Ducan
Thanks for the points, and best of luck with your project!
If you will allow unlimited tries without blocking the user for some time, it will be easily breackable. You will want to add some limits there, so the attacker will need more time than is feasible or reazonable for your scenario.
You should also consider server side protection, using salted hashes, to protect the password on the case someone gets into your server.
This article written by another expert is quite good on password security:
https://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
Please take a look on this thread where the server side and password transport scenarios were discussed too:
https://www.experts-exchange.com/questions/28304955/Sending-the-Password-over-network.html