Sitefinity - Passwords
Sitefinity is secure platform. It is PCI and FIPS compliant in all areas where user credentials are stored but there are some things still left in your hands to ensure it is secure. Password policy is one area that you are in charge of. Passwords are pain. If we use something we can remember it is weak. If we use something secure its hard to remember. And what some sites require for a strong password are often not that strong.
What is and how do we choose a good password? Our general instructions from our security experts are that it has to be 8 characters long and contain a number and special character. So people use P@ssw0rd. Not that great actually. Why not? So what then? The best place to start is to understand how passwords are cracked.
I don't want to make this a long discussion on passwords, (as I have read some long ones), so if you can take my comments as a generalisation then we don't have to go into the but's, or's, sometimes scenario's.
A hacker will gain access to a user database, or file that contains user names and the encrypted passwords or they may just try to regularly log on to your site using a list of known user names. (Much harder and longer but a bad logon screen could validate the effort.)
Next they use a computer to try and guess the password. That's right the computer goes, is it bob123? Is it bob124? Is it bob125? Now this might seem lame but its basically true. Except a computer can make 1000's of guesses a second. Password cracking programs are also quite smart in their guessing. They know that people create passwords based on lots of habits so they of course try P@ssw0rd first, (even though it passes our secure password instructions) and all its variations. If they can find out your date of birth or family they add those to the try first list.
How long does it take to guess? Well according to howsecureismypassword.net P@ssw0rd would take 3 days for your average PC to crack. But this assumes that the last guess is the correct one. They also take into account common terms which are terms, phrases or combos people often use in passwords.
If you use this indicator, you will see that by adding a letter to the end of our password the time goes to 275 days. Add a second letter and P@ssw0rdab takes 58 years.
Note that this is an ordinary desktop PC. A hacker may have a bank of kick arse PC's, (they particularly use GPU's these days) or even rent space on a cloud environment employing 10's of kick arse machines. Or a custom system that can do 350 billion guesses per second.
Want the sad reality - have a read of this article. Take particular note of how each cracker looked for patterns and habits of people and their passwords to speed up the process.
So what is a good password
So cutting further discussions lets get to what I suggest is a better password strategy.
I am not a security expert or claim that you will be safe following my advice below.
First and obvious is length. Your password should be 12ish characters. HelpMeChoose1 rates at 1 million years.
Next it needs to be unguessable. So you shouldn't use things that represent you such as your date of birth. I like the system where you
choose three or four random words that mean something to you and don't make sense to anyone else. DogFruitPies as on a holiday our dog ate
all the frozen pies and we were left with just fruit for 3 days. This rates at 1000 years.
This is better but it uses all English words and these are guessable. Also we should throw in a number and special character. But be aware, smart guessers know it is common to use @ for 'a' and 3 for 'e', etc. An option is add 3ish random characters on the end. DogFruitPieslll turns it to 435 million years.
I would also misspell some words. DogFriutPyeslll. Though this still is 435 million years on the indicator this will cause a lot more trouble for the smart crackers who will be trying correctly spelt words first. Finally try DogFriutPyes!12 and we get 157 billion years. Or !Dog! Friut!Pyes!
How does a computer generated password rate? )a#BDd]H7~TngP! gives us 4 trillion years on the indicator. If you need 12 trillion years just add a character to the end of our sample such as DogFriutPyes!12x. (Remember take the indicator with a grain of salt as real password crackers are far more efficient.)
So it is not hard to create a strong, (can't say secure because they can all be cracked), password but just keep in mind of how crackers crack them. You need to ensure primarily that you can remember it and second that a computer, (or person), can not guess it. You literally want them to be left with brute force guessing as the only options for them.
So when it comes to setting your password policy in Sitefinity don't go with the default. Enhance it and educate your users.
Thanks for reading and feel free to comment - Darrin Robertson