Strong-Password
This chapter covers some aspects related to strong-password,
which is a feature that forces the user to choose a password
with certain security level.
The StrongPassword feature allows the user to hide plaintext passwords from being legible directly from the configuration and prevents the use of weak passwords. This strength level can be adjustable from 0 to 4, with 0 being able to introduce the weakest passwords and 4 being able to only introduce the strongest passwords. The default level is 0.
Every password entered in the system will have a score based on its guessability, that is, the estimated number of attempts that would be necessary in order to guess it. If the obtained score for a particular password is below the StrongPassword level previously defined, the password cannot be commited to the system.
Otherwise, if the StrongPassword level is increased but there is a non-login password with a score less than the new StrongPassword level, a commit error is produced, and the level will be unchanged.
The threshold for each StrongPassword score is based on the estimated number of guesses:
Score 0 represents a range from 1 to 10^3 guesses.
Score 1 represents a range from 10^3 to 10^6 guesses.
Score 2 represents a range from 10^6 to 10^8 guesses.
Score 3 represents a range from 10^8 to 10^10 guesses.
Score 4 represents more or equal to 10^10 guesses.
For every check realized, some warning and information traces can be retrieved from the log system with the objective or give more information. This information can be composed of a warning if there are some important improvements that the user can make to improve the password. A suggestion can be made if some minor improvements can be made to augment the strength of the password.
Password scoring algorithm
It is not always trivial for a human to determine the strength of the password just by looking at it. The algorithm models passwords as a concatenation of one or more patterns. The algorithm supposes that the attacker knows the patterns that make up a password. Each pattern is recognized using three phases: match, estimate and search.
The match phase finds patterns as tokens. These tokens are treated as
case-insensitive and try to replace every l33t word with an only-letter version.
In this form, the input P@ssW0rd will be treated as the token password.
The matching phase will still recognize reversed patterns like drowssap,
sequence patterns like abcdef, repetition patterns like ababab, keyboard
patterns from QWERTY as asdfghj and DVORAK as aoeuid, date patterns like
11/11/2011. Otherwise, the pattern will be recognized as bruteforce.
The estimation phase will try to determine the necessary guesses for each pattern obtained from the anterior phase. This phase supposes some knowledge from the part of the attacker in order to not overestimate the score of the password.
The last phase, search, finds the minimum expression with non-overlapping patterns, to finally outputs the score of the input password.
As a summary, the order from lower to higher preference at the time of obtain higher scores, it is recommended to use passwords composed by patterns in the following way:
Simple words, reversed words, sequence in order of letters and numbers, repetition of words, sequence keyboard keys, dates (preferably distant dates) and as best of all, use complete random words composed from random characters.
Special cases
There are some special cases to consider. The user passwords used for login are checked only at the process of converting from plaintext to a ciphered form. This means that the strong-password validations are not checked if the configuration is copied in the encrypted version.
Apart of that, there are some special cases like the pin of the cellular devices, which only consists of four numbes and the restrictions of strong-password subsystem doesn’t make sense.