Question on Password Length (CSP Unit 4 Lesson 8)

wbarnum · November 7, 2019, 4:53pm

One of the questions on the “U4L08 Worksheet - Keys and Passwords” is " Opinion: Is an 8-character minimum a good password length for websites to require?"

I can understand how a long password would be useful when encrypting a file or setting a wireless network key, but I don’t understand how it would matter with a website.

It seems like web site logins would be set up not to allow brute force attacks, so I wouldn’t think the length of the password would matter much.

Thanks in advance for the help in understanding this.

Bill

frank_w_lee · November 8, 2019, 6:44pm

Hi @wbarnum,

When you say web site logins are set up not to allow brute force attacks, I suppose you mean how they for example allow 3 attempts, then ban attempts for x amount of time (like many phone logins)?

I’m by no means a security expert, nor have I formally studied this in any way… that being said …

As far as I know, you’re correct in that the method I mentioned prevents most sites from being attacked via brute force.

I think there’s still a concern if an attacker somehow can make their way around the “front door” - the website login page - and somehow access the password database directly, as is often the case when you hear of a company getting hacked.

To my knowledge, these password databases are hashed - basically encrypted - not stored in plaintext for security purposes (otherwise company employees can also see users’ passwords). However, if an attacker has direct access to that database, they can perform a direct brute force attack on that. Basically, if they know the hash/encryption method, they can guess a password and see if the hashed/encrypted form matches what’s stored in the database.

To learn more about how passwords are stored in a database, including how hashing works, here’s a 10 minute video I found helpful: https://www.youtube.com/watch?v=8ZtInClXe1Q

But definitely, if anyone else has “actual” knowledge to help answer this question, I’d love to hear.

Frank

wbarnum · November 21, 2019, 5:18pm

Frank,

Thank you. That video helped me understand more about how passwords should and shouldn’t be stored.

If I am understanding the video correctly, the uniqueness of the password is important, but the length isn’t.

I’m wondering if there is still something I am missing or if perhaps the lesson needs the caveat that the length of the password doesn’t really matter on something like a web login.

Bill

frank_w_lee · November 24, 2019, 3:00am

Hi @wbarnum,

Hope I’m not causing confusion, but the video is tangential to the lesson - password length is very important but that aspect is not a focus in the video.

In a basic sense, a way to look at the importance of password length is comparing the security of a numeric lock that has just 2 digits (so you can brute force it by trying just 100 combinations) vs a lock that has 5 digits (requiring you to try 100,000 combinations).

wbarnum · December 3, 2019, 2:09am

It still seems like you wouldn’t be able to brute force a web login.

If you did manage to access an encrypted password file, it seems like once you found the key to decrypt it, you would be able to decrypt all the passwords regardless of their length.

Bill

frank_w_lee · December 3, 2019, 2:42am

I agree brute forcing a web login still seems infeasible.

As for accessing the password file, from my understanding, they are hashed - as opposed to encrypted. I’m not sure if that makes a big difference, but hashing doesn’t use keys so one cannot “find” the key and use it to “unhash” the other passwords. Hashing is a one-way operation and there’s no “unhashing” period. One would have to try an input and just see if the output matches the hashed password in the file.

Even if the password file is encrypted instead of hashed, I don’t believe cracking one password gives you the key. Maybe it depends on the encryption method - this stuff I’m not entirely sure of.

Given the attacker knows the hash/encryption algorithm and has the stolen password file, an attack would basically consist of guessing a password, running that guess through the algorithm, and seeing if the output matches the hashed/encrypted text in the stolen password field. From here, it’s a basic brute force attack, possibly starting their guesses with a, b, c… aa, ab, ac… aaa, aab, aac, etc., then possibly onto dictionary words, etc. A short, simple password would be guessed much quicker than a long, complex password.