Click here to close now.

Welcome!

Linux Containers Authors: Roger Strukhoff, Pat Romanski, Carmen Gonzalez, Elizabeth White, Liz McMillan

Related Topics: Perl, Java IoT, Microsoft Cloud, Linux Containers, Cloud Security

Perl: Article

The Development of a Perl-based Password Complexity Filter

A useful foundation for developers and system administrators to improve password policy compliance

If you watch the news regularly, it is easy to notice that in almost any given week some company seems to have experienced an electronic break-in or in some other way experienced a form of computer or network compromise. While computer security professionals can help to mitigate such risks via the proper configuration of firewalls, careful crafting of Access Control Lists, the application of updates, and the judicious application of file permission, among other measures, it's important that one of the most fundamental ways of improving the security of a computer or network resource not be overlooked - that of a really strong password. To this day passwords remain one of the weaker links in the security of electronic resources, and their potential for exploitation needs to be examined more carefully than ever. With the growing trend of cloud computing-based initiatives, many resources that were formerly enclosed within the wall of a business are now available over a network, thereby mitigating the physical security measures the previously helped to limit access to such resources. Given that many of these cloud-based solutions are accessed via user name and password combinations, a strong password is often the primary form of defense against illicit access.

The Makings of a Strong Password
One of the best ways to ensure that users of any application you develop have a strong password is to validate the strength of the password via the usage of a password complexity filter, which ensures that any proposed password meets certain minimum complexity requirements. In order to get a clear grasp of the requirements considered essential for a strong password, let's first consider several password usage cases. First let's consider a case where we have an application that only utilizes case-insensitive alphabet characters in a password that's four characters long. If we were to compute the number of possible passwords that could fit into such a "password space," we would see that passwords created with these rules in mind would allow for

26 * 26 * 26 * 26 = 264 = 456,976 possible passwords

If we instead now allow passwords to be case sensitive and distinguish upper and lowercase characters as being distinct, you can readily see that we have increased the size of the password space since we would now have

52 * 52 * 52 * 52 = 524 = 7,311,616 possible passwords

Now if we also allow our application to include passwords that contain numbers we would end up with 624 (14,776,336) possible passwords, and if we incorporate a set of special characters the number of possible passwords would be even greater. You can clearly see that for each additional character set we add, the number of possible passwords that could be created expands. The greater the size of this password space, the harder it would be for a person with malicious intentions to obtain the password, since any brute force attack would require the attacker to try an increasingly large number of password possibilities before the correct password was obtained. Thus our demonstrations so far have indicated that we greatly enhance the security of our passwords by requiring users to create passwords with a combination of mixed case letters, numbers, and special characters since this yields the maximum possible variability within each allowed character position.

Increasing the variability at each position is not the only way of expanding the size of this password space, however. This space can be expanded to an even greater degree by increasing the number of allowable positions. For example, if we consider our first usage case of the case-insensitive password and simply add a fifth position to the password, we would now have 265 (11,881,376) possible passwords and for each additional position we add, we would have exponentially more password possibilities. This illustrates that length as well as positional variability is crucial to creating a strong password. Typically, password minimums are set in the 8-10 character range, but for highly secure systems it may be desirable to require even longer passwords.

In addition, while each of these aforementioned techniques can work to reduce the potential for brute force attacks, by helping to ensure that finding the correct password within the entire search space would take an inordinate amount of time, you should not overlook the fact that too many passwords do not require brute force approaches to find. The human aspect should never be forgotten about, and keep in mind that remembering random strings of letters, numbers, and special characters may not be the easiest thing in the world for many users. Because of this, many users seek to use dictionary words or names as passwords and this forms the basis for the use of dictionary attacks, in which a long listing of names and words are tried as passwords, with the hopes that one will match. Likewise, dates such as anniversaries or birthdays are not a good choice either, since they can readily be incorporated into a dictionary style attack as well. Dictionary attacks are such an established threat, that dictionary words should never be used as a password or as a part of a password.

When considering establishing password policies, with regards to dictionary words, you should also consider that many users seek to use dictionary words as a basis for their passwords with some minor modifications to incorporate special characters and/or numbers. For example, a user might take a dictionary word like "password" and modify into "pa$sword" to meet a special character requirement or they may modify "security" into "s3curity" to incorporate a number. Many dictionaries used for dictionary attacks now include such minor word variations in their word listings, and as such it may be prudent to disallow the creation of such passwords.

In this article we'll look at the development of a Perl -based password complexity filter that can be readily adapted for compliance with the most standard password policies. As such the script could serve as a useful basis for checking the strength of passwords users wish to use for access to Web applications.

The Password Complexity Filter
Before the coding of the password complexity filter is delved into, a dictionary of words should first be created for use by the password complexity filter script in order to flag any password that's based on a dictionary word as being a poor choice. In order to do this, we will make use of a modified form of the "words.txt" file that comes standard with most Linux distributions, but with a minor modification. The words.txt file will be modified to eliminate all words of less than three characters, because the presence of small words in the dictionary such as "I," "a," "at," etc., can lead to many false positive identifications of passwords as being poor password choices because they are based on dictionary words. One other important consideration to keep in mind when running this script is that code itself is portable between both Linux and Windows, but in order for the code to function properly, the list of dictionary words needs to be saved in the text formatting that is used by the platform the code is being run on due to differences in encoding line endings.

Now that the dictionary is established, we can begin to look at the Perl code, which begins by first declaring the Perl modules that it makes use of and opens the file that stores the dictionary list as follows:

use strict;
use Fcntl qw(:seek);
#words.txt file is derived from the linux ditionary file with all words of 3 characters
#or less removed, since small words like "at" and "I" can trigger false positives
open(WORDS, "words2.txt") or die("Cannot open words.txt \n");

The "use strict" pragma is used to help ensure the quality of the Perl code by forcing all variables to be explicitly declared, and the Fcntrl module will be utilized to navigate around the dictionary list file. The dictionary file is assumed to be in the same directory as the Perl script by this code and is opened with the file handle WORDS.

Next the script declares its variables as follows:

my $word;
my $passwd;
my $dc=1;
my $count=0;
my $len=8; #sets the minimum password length
my $minnum=1; #sets the minimum number of digits
my $minup=1; #sets the minimum number of uppercase letters
my $minlow=1; #sets the minimum number of lowercase letters
my $minspec=1; #sets the minimim number of special characters
my @FuzzyStrings;
my $regexp;
my $char;
my $stringpos;
my $i;
my $j;

The functions of each variable will be discussed as they are utilized, but the main variables of interest to those who seek to customize the password complexity filter to suit their respective password policies are the variables that each begin with "$min" since these are used to set the minimum lengths of each password and the minimum amounts of each character type as indicated in the code comments.

The script then seeks to compare the provided password to a list of dictionary words to make sure that none of the passwords contain dictionary words by using the following segment of code:

$passwd=join(" ", @ARGV);

while($word=<WORDS>){
chomp($word);
if($passwd=~/$word/i){
print "Password Contains A Dictionary Word: FAIL \n";
$dc=0;
last;
}
}
if($dc==1){print "Dictionary Check: PASS \n";}

Note that in the variable list above, the variable $dc was set equal to 1, since this variable will serve as our indicator of whether or not the user-provided password contains a dictionary word. The above segment of code loops through each word in the dictionary file and uses case-insensitive regular expression-based pattern matching to determine if the password contains a dictionary word. If the password ($passwd) matches any of the words in the dictionary, the variable $dc is set to 0 and a failure warning printed to STDOUT. If $dc remains equal to 1, a pass message is displayed.

The next check is a straightforward password length check, wherein the length of the password is compared to the minimum required password length ($len), as demonstrated below:

if(length($passwd)<$len){
print "Password Is Too Short: FAIL \n";
}
else{print "Length Check: PASS \n";}

Following this, the script will check to ensure the password contains at least the minimum number of upper and lower case characters, numbers, and special characters by using the following code segments:

while($passwd=~/\d/g){
$count=$count+1;
}
if($count<$minnum){
print "Password Does Not Contain $minnum Number(s): FAIL  \n";
}
else{print "Contains Number Check: PASS \n";}

$count=0;

while($passwd=~/[a-z]/g){
$count=$count+1;
}
if($count<$minlow){
print "Password Does Not Contain $minlow Lowercase Letter(s): FAIL \n";
}
else{print "Contains Lowercase Letter Check: PASS \n";}

$count=0;

while($passwd=~/[A-Z]/g){
$count=$count+1;
}
if($count<$minup){
print "Password Does Not Contain $minup Uppercase Letter(s): FAIL \n";
}
else{print "Contains Uppercase Letter Check: PASS \n";}

$count=0;

while($passwd=~/!|"|#|\$|%|&|'|\(|\)|\*|\+|,|-|\.|\/|:|;|<|=|>|\?|@|\[|\\|]|\^|_|`|\{|\||}|~/g){
$count=$count+1;
}
if($count<$minspec){
print "Password Does Not Contain $minspec Special Character(s): FAIL \n";
}
else{print "Contains Special Character Check: PASS \n";}

In each case, the script counts the number of times the character type of interest appears by making use of global pattern matching (/g), and comparing this count to the specified minimums. One thing to keep in mind is that not all software platforms support the full range of special characters listed here, so that particular regular expression may require some editing. If that's the case, be sure to pay attention to which special characters are metacharacters and keep them prefixed with a backslash to ensure proper compilation and functionality. A sample output using the checks discussed so far can be seen in Figure 1.

Figure 1: "password123" tested against the complexity filter. It is properly detected as a dictionary word and its character composition is correctly assessed.

At this point we have one remaining check to complete and that is the check to see if the entered password is just a minor modification of a dictionary word, which is carried out as shown below:

if($dc==1){
seek(WORDS, 0, SEEK_SET);
my $length=length($passwd);

for($i=0;$i<=$length-1;$i++){
pos($passwd)=0;
while($passwd=~/(\w)/gc){
$char=$1;
$stringpos=pos($passwd)-1;
if($stringpos==$i){
$FuzzyStrings[$i]=$FuzzyStrings[$i] . '.';
}
else{
$FuzzyStrings[$i]=$FuzzyStrings[$i] . $char;
}
}
if($i==0){
$regexp=$FuzzyStrings[$i];
}
else{
$regexp=$regexp . '|' . $FuzzyStrings[$i];
}
}
while($word=<WORDS>){
chomp($word);
if($word=~/$regexp/i){
print "Password Contains A Dictionary Word with Minor Substitution: FAIL \n";
$dc=0;
last;
}
}
if($dc==1){print "Dictionary Word with Minor Substitution Check: PASS \n";}
}

This check will only run if the earlier dictionary check did not find the password to be an exact dictionary word ($dc==1). It initially sets the dictionary word file back to its starting point and computes the length of the password. A nested set of loops and conditional statements is then used to create an array of @FuzzyStrings in which each character within the password is individually sequentially replaced with the "." character. "." is a special character within Perl regular expressions that can be used to match any other character. The result of this nested control structure yields a regular expression that is stored in the $regexp variable, such that a password "abc" would be turned into the regular expression ".bc|a.c|ab.". This means that a password that consists of a substitution of a dictionary word at any single position, to any type of character, will match the created regular expression. Once this regular expression is created, it's then matched against every word in the dictionary list to determine if the password is just a minor variant of any dictionary word (see Figure2). The fuzziness of the regular expression can also be readily enhanced by using quantifiers in conjunction with the ".", as the presence of quantifiers would allow for more than single character substitutions to be discovered. In particular the presence of a quantifier may be desirable for when the first and last character positions are ".", since this will allow for the detection of a partial word being appended to some additional characters.

Figure 2: Demonstration of how the password complexity filter picks up "pas$word" as being a dictionary word with a minor substitution.

Conclusion
This above script illustrates various techniques that can be used to create password complexity filters for use in verifying that existing passwords comply with an organization's password complexity requirements (see Figure 3). Moreover, this script can be run in its current command-line form or readily modified into a CGI application to provide a Web-based interface for making use of the programs functionality. As such, the article and example script should provide a useful foundation for developers and system administrators to improve password policy compliance within their organization.

Figure 3: A password that passes all checks.

More Stories By Christopher Frenz

Christopher Frenz is the author of "Visual Basic and Visual Basic .NET for Scientists and Engineers" (Apress) and "Pro Perl Parsing" (Apress). He is a faculty member in the Department of Computer Engineering at the New York City College of Technology (CUNY), where he performs computational biology and machine learning research.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...
2015 predictions circa 1970: houses anticipate our needs and adapt, city infrastructure is citizen and situation aware, office buildings identify and preprocess you. Today smart buildings have no such collective conscience, no shared set of fundamental services to identify, predict and synchronize around us. LiveSpace and M2Mi are changing that. LiveSpace Smart Environment devices deliver over the M2Mi IoT Platform real time presence, awareness and intent analytics as a service to local connected devices. In her session at @ThingsExpo, Sarah Cooper, VP Business of Development at M2Mi, will d...
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, data security and privacy.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In this session, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, will describe how to revolutionize your architecture and...
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series data. By focusing on enterprise applications and the data center, he will use OpenTSDB as an example t...
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT). Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems – call it what you want, but it’s happening, and its potential is huge. IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. As a result, huge volumes of data are being generated, and that data is being processed into useful actions that can “command and control” thi...
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
We are reaching the end of the beginning with WebRTC, and real systems using this technology have begun to appear. One challenge that faces every WebRTC deployment (in some form or another) is identity management. For example, if you have an existing service – possibly built on a variety of different PaaS/SaaS offerings – and you want to add real-time communications you are faced with a challenge relating to user management, authentication, authorization, and validation. Service providers will want to use their existing identities, but these will have credentials already that are (hopefully) i...
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
Thanks to widespread Internet adoption and more than 10 billion connected devices around the world, companies became more excited than ever about the Internet of Things in 2014. Add in the hype around Google Glass and the Nest Thermostat, and nearly every business, including those from traditionally low-tech industries, wanted in. But despite the buzz, some very real business questions emerged – mainly, not if a device can be connected, or even when, but why? Why does connecting to the cloud create greater value for the user? Why do connected features improve the overall experience? And why do...
SYS-CON Events announced today that O'Reilly Media has been named “Media Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York City, NY. O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participa...
Imagine a world where targeting, attribution, and analytics are just as intrinsic to the physical world as they currently are to display advertising. Advances in technologies and changes in consumer behavior have opened the door to a whole new category of personalized marketing experience based on direct interactions with products. The products themselves now have a voice. What will they say? Who will control it? And what does it take for brands to win in this new world? In his session at @ThingsExpo, Zack Bennett, Vice President of Customer Success at EVRYTHNG, will answer these questions a...
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is co-author of t...
The Internet of Things is a misnomer. That implies that everything is on the Internet, and that simply should not be - especially for things that are blurring the line between medical devices that stimulate like a pacemaker and quantified self-sensors like a pedometer or pulse tracker. The mesh of things that we manage must be segmented into zones of trust for sensing data, transmitting data, receiving command and control administrative changes, and peer-to-peer mesh messaging. In his session at @ThingsExpo, Ryan Bagnulo, Solution Architect / Software Engineer at SOA Software, focused on desi...
The multi-trillion economic opportunity around the "Internet of Things" (IoT) is emerging as the hottest topic for investors in 2015. As we connect the physical world with information technology, data from actions, processes and the environment can increase sales, improve efficiencies, automate daily activities and minimize risk. In his session at @ThingsExpo, Ed Maguire, Senior Analyst at CLSA Americas, will describe what is new and different about IoT, explore financial, technological and real-world impact across consumer and business use cases. Why now? Significant corporate and venture...
While great strides have been made relative to the video aspects of remote collaboration, audio technology has basically stagnated. Typically all audio is mixed to a single monaural stream and emanates from a single point, such as a speakerphone or a speaker associated with a video monitor. This leads to confusion and lack of understanding among participants especially regarding who is actually speaking. Spatial teleconferencing introduces the concept of acoustic spatial separation between conference participants in three dimensional space. This has been shown to significantly improve comprehe...
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
There will be 150 billion connected devices by 2020. New digital businesses have already disrupted value chains across every industry. APIs are at the center of the digital business. You need to understand what assets you have that can be exposed digitally, what their digital value chain is, and how to create an effective business model around that value chain to compete in this economy. No enterprise can be complacent and not engage in the digital economy. Learn how to be the disruptor and not the disruptee.