: How can I safely analyze users' password quality? Given a registration service website with rather lax password requirements for the users (6-12 characters with no special requirements), how can
Given a registration service website with rather lax password requirements for the users (6-12 characters with no special requirements), how can I safely analyze what quality of passwords users pick without storing them in plain text?
For background: This question came up when discussing whether or not users of the service pick sufficiently "good" passwords, and if they do not, if there is enough reason to enforce this by setting tighter password requirements. Assuming some sort of rating system for the password, what interests the team is the ratio of poor passwords (only letters, no special signs, no upper-/lower case variation, repeating signs, partial match with own name or email, etc) compared to good passwords.
Supposedly, implementing a rating algorithm that stores the password quality rating at the time users set their passwords would be a good way, but is there any more considerations to take with this? What kind of assertions about password quality can I make and rate without actually storing the passwords? And do I just log password ratings without any other data, or how could I cross reference password quality with user demographics (age, gender, activity on the service) in a way that respects user privacy and data security?
More posts by @Welton855
4 Comments
Sorted by latest first Latest Oldest Best
If you are going to do that, DO NOT store a rating or additional information about the contents of passwords directly mapped in some way to each password. If your database was hacked, this would be the equivalent of saying "These passwords are the easy ones to crack, and here's some information about them to get you started."
Instead, you could store general information and add to that every time users change their passwords. For example, x passwords have been "strong", y passwords have been "average", z passwords have been "weak" by your rating system. However, don't get too specific on this (e.g. "I have 23 passwords of length 6 with only lower-case letters") or you'll again be helping your adversaries.
I should note that I'd be hesitant to do even store summary information, as this still gives the potential attacker more info about passwords in your system. However, it should be relatively safe since they probably had that information to begin with. In other words, in any password restriction system, some amount of users will likely use the "weakest" passwords allowable, so you are just giving them a more definite count of the number of users that fit that category, which (hopefully) shouldn't help them too much.
Sounds like you are reinventing the wheel. There are plenty of scripts that will check password quality www.webresourcesdepot.com/10-password-strength-meter-scripts-for-a-better-registration-interface/
In addition to weak patterns, we hash an entry and try to look it up from one of the largest known password list available at dazzlepod.com/uniqpass/.
Without storing the passwords you can only evaluate the quality by counting the number of different types of character (upper case, numbers, special characters) when the user first sets or subsequently resets their password.
You could enable the counting and store that information (you just need the number of characters and the number of each type of character - no user information needs to be stored) but not turn on the code that checks the values and reports an error.
This will give you the data on what users pick when there is no restrictions.
If you want to cross reference this with demographic information then that's more problematical. You could probably store the user's gender and age (assuming you have it) without identifying the user. However, cross referencing to activity on the site probably would require the user id.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.