06 March 2009

Is Password Complexity Too Complex to Implement?

Enforcing complexity is one aspect of a good password policy. But web applications often implement this poorly.

Yesterday I had to change a password on a web application provided by an information security vendor. You'd think they'd have this sorted. It began promisingly:

  • the page was only available on a page transmitted over secure HTTP
  • the page was only available to currently authenticated users
  • there was an explanation of the minimum password complexity requirements
  • the form asked for the current password
  • the form asked for a new password and provided a visual indicator of the password complexity (length and mix of characters)
  • the new password wasn't allowed to be blank(!)
  • confirmation of the new password was sought
  • password fields were initially all blank and masked as you typed
  • the submission was sent by the post method over secure HTTP
  • the session was ended (forced log out) and the account locked after multiple failures to change the password correctly

Also, the form had some helpful client-side JavaScript validation—but did not rely this and, correctly, was also undertaken once submitted to the web server.

Partial screen capture showing a change password form, asking for the current password, new password and conformation of the new password - dynamic grey text next to the new password field says 'Great' suggesting the password complexity is high

The client-side validation even included an indicator of password complexity. But I was surprised when my "great" new password was rejected apparently because it did not contain solely ASCII characters:

Partial screen capture showing the same change password form after submission; the 'Great' password has been replaced with a red text 'Must be ASCII'

Well, I can assure you I did use ASCII characters. In this case the client-side and server-side validation are not identical. This suggests that there may be contradictory requirements in the specification or the validation has been implemented incorrectly, and there was inadequate testing and verification undertaken.

This is a usability error, and a potential security vulnerability.

A small issue, but it demonstrates how easy it is to have faults in applications. This may not have an impact on the application's security, but it would be an area a malicious user would explore further to see if the weakness could be exploited.

Posted on: 06 March 2009 at 08:32 hrs

Comments Comments (1) | Permalink | Send Send

Comments

Comments are filtered automatically and should appear shortly after they been checked.

What a great topic! As a former network engineer, here is what would happen. We implement password complexity and, for some reason, otherwise bright, articulate people are left clueless.

The result?

Passwords written in sticky notes and posted on the screen or under the keyboard.

By making passwords complex, we made them easily accessible for anybody who could get in the building :)

Cheers!
1 Added by Healthy Divorce Posted on 12 March 2009 at 14:05 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Is Password Complexity Too Complex to Implement?
http://www.clerkendweller.com/2009/3/6/Is-Password-Complexity-Too-Complex-to-Implement
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/3/6/Is-Password-Complexity-Too-Complex-to-Implement
Requested by 38.107.191.115 on Friday, 12 March 2010 at 02:10 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com