This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Basic Password Management Library

From OWASP
Jump to: navigation, search

Introduction

If web-application is a dungeon, then passwords are the dragons guarding entrance to the application. They are the single entities that keeps a user safe. There are so many things that could go wrong with passwords. There are also many challenges that needs to be addressed to make passwords safe from prying eyes. Right from generation of password to storing of passwords, everything has to be perfect, otherwise attackers would be able to crack it. No wonder hackers target password cracking as a high target - the payoff is too rich. With passwords cracked there are no or very few mechanisms in place to stop you from accessing the account. This library of ours provides developers some functions that helps them create a strong password, verify them, and store them in a correct manner. In this library, you can also find a rich variety of functions that helps identify patterns in your password that are exploited most by the attackers.

Where things go wrong ?

To demonstrate how passwords are exploited and to differentiate between a strong and a weak password, here are few points :

  • Many users follow a common pattern in their passwords such as their birth-dates, their phone number, their nick-names etc. This common behavior is not so random as it seems to the user and attackers use this behavior to crack their passwords by trying combination of their personal data.
  • With advanced computing power and massive parallel processing, passwords of shorter length can easily be guessed using brute search. Weak passwords can be cracked now only in few hours.
  • Passwords must be stored in system using "Hashing". Storing plain passwords in your database is unethical, wrong and extremely dangerous. Therefore, passwords must be hashed before storing them. Also the hashing algorithm used must be cryptographically secure and must produce a long random string, otherwise they can be cracked.
  • Recent events have proved that plain hashing of passwords is not enough. That can be easily cracked. Techniques such as "rainbow tables" and "Pre-compiled Passwords" makes cracking of plain hashed passwords very easy. Therefore it is necessary to first "salt" the plain password and then use hashing algorithms on them. Salting a password means to mix a random value to all the passwords so that their hashes can be changed. Salts are not sensitive data. They are just simple random values used to change the hash of a password so that pre-compiled tables cannot be used for cracking. To be more secure, it is advised to use dynamic salts in conjunction to a static salts i.e. the passwords must be mixed with a static string that all other passwords are salted with and also a dynamic string unique to that password only. This way the attackers won't be able to crack passwords even if they know the static salt beforehand.
  • To secure a password, it is necessary for them to at-least contain some degree of randomness. A password secure if it is random. A non-random password will get cracked irrespective of their length.


PHPSEC Basic Password Management Implementation

This library contains many functions to detect specific patterns in a string, calculates randomness in a string, password hashing and salting etc. These functions helps developer to calculate strength in a string or they can use our provided functions. Here is a list of common types of functions that you could find in this library:
Password Hashing: Function to properly mix static and dynamic salt to a password and then to calculate its hash.
Password Verification: Function to calculate the hash of the new string and to compare it with the hash of the old password to check if the new string and the user's password are same.
Password Entropy: Function to calculate "randomness" in a string. Using this function, developers can quantify "randomness" in a string.
Pattern Recognition in Strings: Set of functions that are capable to recognizing specific patterns in a string. Patterns such as as "phone no", "dates", "alphabetic characters such as abcde", "keyboard characters such as qwerty" etc.
Password Strength: Function to check the strength of a string on scale 0 to 1. This function uses above methods to calculate score of a password.
Password Generation: Function to generate a password of specified strength. Strength can be between 0 and 1.
Misc Functions: Other functions that provides common functions necessary for this library to work.

Other Helpful Links