Books of Note

Practical Common
LispThe best intro to start your journey. Excellent coverage of CLOS.

ANSI Common
LispAnother great starting point with a different focus.

Paradigms of Artificial Intelligence
ProgrammingA superb set of Lisp examples. Not just for the AI crowd.

Tuesday, June 27, 2006

Piss-poor security 

I was trying to register on a web site this morning. It didn't like the password I had chosen. The site complained:

Password length must be at least 5, and it may not contain any spaces or non-printable characters

Well, my password was definitely more than five characters long. It did contain a space, however. Why is that so problemmatic? I cannot, for the life of me, fathom why there are so many programmers out there who refuse to allow people to enter good passwords for things. To make their own programming tasks easier, they arbitrarily restrict the character set of passwords to the easy characters (letters, numbers, and a few non-controversial puctuation characters). Characters that seem to be particularly challenging for these programmers to deal with include spaces and quotation marks of various sorts. Of course, exactly which characters are problemmatic differs from site to site depending on the laziness of the programmer and the peculiarities of the web site back-end.

Rather than coding up a routine to detect all these problemmatic characters, why not spend that time writing a routine to properly escape them whenever they cause problems?

To put some numbers around this, let's just consider random passwords for a minute. By my count, there are 95 printable characters in US-ASCII (non-control characters). Using a 5-character password, that gives approximately 7.74 billion combinations (= 955). If you eliminate space and anything "quote-like" (double quotes, apostrophe, and backquote), that's 91 characters, giving you 6.24 billion combinations, or a reduction of 19.3%. That's a significant reduction of the search space to break a password, all because a programmer was lazy.

"Aha!" I hear you cry. "Just add another character to your password and it's far stronger anyway. After all, 916 = 568 billion combinations." Yes, that's true, longer is definitely better. But it turns out that for the same password length, the percentage reduction in the search space increases as the length gets larger. Thus, at five characters, the reduction is 19.3%. At 10 characters, it's almost 35%.

So, please, if you're coding a login/registration system, do everybody a favor and just write some escape routines. Don't take the easy way out and throw out a large percentage of your security just because you're lazy.


Comments:


You're confusing laziness with stupidity. It's lazy to call the database's provided escape function. It's stupidity to write your own function to filter input.
 


You have a sup tag closed with /sub, and it's confusing my feed aggregator. Would you care to fix it? :-)
 


Sorry about the sub/sup tag problem. Now corrected.
 


Nolan, you're probably right about lazy vs. stupidity. Either way, I'm just tired of it.
 


Thanks for the fix. Now all I have to do is to wait for Planet Lisp to catch up...
 


I would not call the database escape function. Rather I'd base64-encode the password. Simple, secure, portable and future-proof. Specifically for lisp, calling the database escape function seems to be a lot of hassle with the interface-modules I am aware of, and base64-encoding is available in every mime-package.
 


Placeholders AYF
 


You could add printable Unicode characters to the list and get a huge boost in password namespace. The problem is that you must then deal with string preparation (starting with normalization, mapping various characters, prohibiting others, dealing with query/storage/display storage distinctions w.r.t. private use codes, etc...). Throw in cryptographic protocols that use passwords and things get complex. Worse, the set of characters that can reliably be entered on all the UIs that your users can use can be pretty darn small (smaller than the set of printable US-ASCII characters).

Finally, you assume that shorter passwords from larger namespaces are easier to remember than longer passwords from smaller namespaces. Maybe, I don't know. But I do know that it's not trivial to expand the set of characters that users can use in their passwords.
 

Post a Comment


Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours?