Increase Password Strength (deprecated as of 12/04/2018)
- John Hill
This document is deprecated and has been superseded with: Synapse Password Policy
Introduction
Currently Synapse only requires users to choose passwords that are at least one character (a 3rd party security audit recently raised this issue). A single character password is ridiculously weak.
Why does password strength matter? Any password can be hacked using a brute-force attack. The only question is how long will it take for the take to guess the password. Weak passwords can be hacked in seconds, while a strong password could take centuries to hack. With a single character password (assuming: a-z, A-Z, 0–9) it only takes 62 attempts to hack.
Randomly Generated Passwords
Password strength for a randomly generated password is a function of the the size of the character space and the number of characters used for that password. To illustrate this KeeyPass was used to randomly generate the following passwords (using only a-z, A-Z, 0–9) . Each password was then tested against: zxcvbn demo to calculate how long a brute force attack would take for each. The demo gives an estimate for unthrottled online attacks which assumes an attacker can make 10 attempts per second. The demo also estimates for throttled online attacks that limit the number of attempts an attacker can make to 100 per minute.
| Random Password | Number of Characters | unthrottled online attack (10 / Second) | throttled online attack (100 / Minute) |
|---|---|---|---|
| 'B' | 1 | less than a second | 7 minutes |
| 'aw' | 2 | 1 second | 1 hour |
| 'tJo' | 3 | 10 seconds | 10 hours |
| '1P4S' | 4 | 2 minutes | 4 days |
| 'yHm6X' | 5 | 17 minutes | 1 month |
| 'co9dDQ' | 6 | 3 hours | 1 year |
| '52P5d23' | 7 | 1 day | 11 years |
| 'NAcviDGM' | 8 | 12 days | centuries |
This test illustrates that throttling to limit the number of attempts is probably more important than password size. Currently, Synapse does not throttle login attempts so ten attempts per second is possible.
Human Generated Passwords
Passwords generated by actual users may not be as strong as randomly generated passwords. The problem is people can follow predictable patterns. For example, when users are asked to include capital letters in passwords they will often choose to capitalize the first letter of each word. When asked to include numbers or special characters in their password, they will often use 'Leet' substitutions, so 'password' becomes 'p4$$w0rd'. Hackers are familiar with these patterns, and can exploit them with modified dictionary attacks. Even though 'password' is eight characters it would be cracked on the second attempt of a dictionary attack since it is the second most common password ('123456' is number one).
See: