June 18th, 2013

Revised Password Strength Criteria and Requirements

LuxSci allows customers to choose a minimum level of password strength for their users, that is applied when users are created and when they change their passwords.  We have made several improvements to this process to help users choose more secure passwords:

  1. Symbols: Good passwords used to require the inclusion of both letters and numbers.  This has been relaxed and made more secure by now allowing the use of “numbers or symbols”.  E.g. passwords with symbols (like “$” or “%”) and/or spaces can be used even if there are no numbers involved.  This is actually more secure.
  2. More Characters: Customers can set the minimum number of characters in their user passwords.  Previously the largest minimum you could choose was 8 characters. Now, customers can choose to require passwords to contain at least 10, 12, or 16 characters.
  3. Hard to Guess: In addition to password length, LuxSci uses a measure to determine if the password is “hard to guess”.  We have updated this determination so that it uses a new method that is much better at determining what computers can and cannot easily break.

Passwords that are “Hard to Guess”

We have for a long time used the “Crack” password library to determine what passwords are easy or hard to guess.  This did a fair job, was very fast, and very standard; however, it mostly classifies passwords as hard to guess which are hard to remember, not necessarily what ones are hard for a computer to crack.

A lot of research has been done in recent years in determining what makes a good password and what is easy to remember.  It all comes down to:

  1. Avoiding using common passwords
  2. Avoiding using passwords build from common words and variations thereof
  3. Maximizing the “entropy” of the password (e.g. how large the space of passwords that much be searched is, in order to find your password).
  4. Maximizing the time it would take a hacker to guess your password by brute force, using all of the tricks typically used.

We have incorporated a recently generated library for this purpose called “zxcvbn” — for complete details and motivation on its use, see: zxcvbn: realistic password strength estimation.

It comes down to assisting users in making passwords that are both solid and more easily remembered … by more accurately gauging password strength.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.