Welcome!

Java Authors: Lori MacVittie, Esmeralda Swartz, JP Morgenthal, Ivan Antsipau, Trevor Parsons

Related Topics: Perl, Java, .NET, Linux, Security

Perl: Article

The Development of a Perl-based Password Complexity Filter

A useful foundation for developers and system administrators to improve password policy compliance

If you watch the news regularly, it is easy to notice that in almost any given week some company seems to have experienced an electronic break-in or in some other way experienced a form of computer or network compromise. While computer security professionals can help to mitigate such risks via the proper configuration of firewalls, careful crafting of Access Control Lists, the application of updates, and the judicious application of file permission, among other measures, it's important that one of the most fundamental ways of improving the security of a computer or network resource not be overlooked - that of a really strong password. To this day passwords remain one of the weaker links in the security of electronic resources, and their potential for exploitation needs to be examined more carefully than ever. With the growing trend of cloud computing-based initiatives, many resources that were formerly enclosed within the wall of a business are now available over a network, thereby mitigating the physical security measures the previously helped to limit access to such resources. Given that many of these cloud-based solutions are accessed via user name and password combinations, a strong password is often the primary form of defense against illicit access.

The Makings of a Strong Password
One of the best ways to ensure that users of any application you develop have a strong password is to validate the strength of the password via the usage of a password complexity filter, which ensures that any proposed password meets certain minimum complexity requirements. In order to get a clear grasp of the requirements considered essential for a strong password, let's first consider several password usage cases. First let's consider a case where we have an application that only utilizes case-insensitive alphabet characters in a password that's four characters long. If we were to compute the number of possible passwords that could fit into such a "password space," we would see that passwords created with these rules in mind would allow for

26 * 26 * 26 * 26 = 264 = 456,976 possible passwords

If we instead now allow passwords to be case sensitive and distinguish upper and lowercase characters as being distinct, you can readily see that we have increased the size of the password space since we would now have

52 * 52 * 52 * 52 = 524 = 7,311,616 possible passwords

Now if we also allow our application to include passwords that contain numbers we would end up with 624 (14,776,336) possible passwords, and if we incorporate a set of special characters the number of possible passwords would be even greater. You can clearly see that for each additional character set we add, the number of possible passwords that could be created expands. The greater the size of this password space, the harder it would be for a person with malicious intentions to obtain the password, since any brute force attack would require the attacker to try an increasingly large number of password possibilities before the correct password was obtained. Thus our demonstrations so far have indicated that we greatly enhance the security of our passwords by requiring users to create passwords with a combination of mixed case letters, numbers, and special characters since this yields the maximum possible variability within each allowed character position.

Increasing the variability at each position is not the only way of expanding the size of this password space, however. This space can be expanded to an even greater degree by increasing the number of allowable positions. For example, if we consider our first usage case of the case-insensitive password and simply add a fifth position to the password, we would now have 265 (11,881,376) possible passwords and for each additional position we add, we would have exponentially more password possibilities. This illustrates that length as well as positional variability is crucial to creating a strong password. Typically, password minimums are set in the 8-10 character range, but for highly secure systems it may be desirable to require even longer passwords.

In addition, while each of these aforementioned techniques can work to reduce the potential for brute force attacks, by helping to ensure that finding the correct password within the entire search space would take an inordinate amount of time, you should not overlook the fact that too many passwords do not require brute force approaches to find. The human aspect should never be forgotten about, and keep in mind that remembering random strings of letters, numbers, and special characters may not be the easiest thing in the world for many users. Because of this, many users seek to use dictionary words or names as passwords and this forms the basis for the use of dictionary attacks, in which a long listing of names and words are tried as passwords, with the hopes that one will match. Likewise, dates such as anniversaries or birthdays are not a good choice either, since they can readily be incorporated into a dictionary style attack as well. Dictionary attacks are such an established threat, that dictionary words should never be used as a password or as a part of a password.

When considering establishing password policies, with regards to dictionary words, you should also consider that many users seek to use dictionary words as a basis for their passwords with some minor modifications to incorporate special characters and/or numbers. For example, a user might take a dictionary word like "password" and modify into "pa$sword" to meet a special character requirement or they may modify "security" into "s3curity" to incorporate a number. Many dictionaries used for dictionary attacks now include such minor word variations in their word listings, and as such it may be prudent to disallow the creation of such passwords.

In this article we'll look at the development of a Perl -based password complexity filter that can be readily adapted for compliance with the most standard password policies. As such the script could serve as a useful basis for checking the strength of passwords users wish to use for access to Web applications.

The Password Complexity Filter
Before the coding of the password complexity filter is delved into, a dictionary of words should first be created for use by the password complexity filter script in order to flag any password that's based on a dictionary word as being a poor choice. In order to do this, we will make use of a modified form of the "words.txt" file that comes standard with most Linux distributions, but with a minor modification. The words.txt file will be modified to eliminate all words of less than three characters, because the presence of small words in the dictionary such as "I," "a," "at," etc., can lead to many false positive identifications of passwords as being poor password choices because they are based on dictionary words. One other important consideration to keep in mind when running this script is that code itself is portable between both Linux and Windows, but in order for the code to function properly, the list of dictionary words needs to be saved in the text formatting that is used by the platform the code is being run on due to differences in encoding line endings.

Now that the dictionary is established, we can begin to look at the Perl code, which begins by first declaring the Perl modules that it makes use of and opens the file that stores the dictionary list as follows:

use strict;
use Fcntl qw(:seek);
#words.txt file is derived from the linux ditionary file with all words of 3 characters
#or less removed, since small words like "at" and "I" can trigger false positives
open(WORDS, "words2.txt") or die("Cannot open words.txt \n");

The "use strict" pragma is used to help ensure the quality of the Perl code by forcing all variables to be explicitly declared, and the Fcntrl module will be utilized to navigate around the dictionary list file. The dictionary file is assumed to be in the same directory as the Perl script by this code and is opened with the file handle WORDS.

Next the script declares its variables as follows:

my $word;
my $passwd;
my $dc=1;
my $count=0;
my $len=8; #sets the minimum password length
my $minnum=1; #sets the minimum number of digits
my $minup=1; #sets the minimum number of uppercase letters
my $minlow=1; #sets the minimum number of lowercase letters
my $minspec=1; #sets the minimim number of special characters
my @FuzzyStrings;
my $regexp;
my $char;
my $stringpos;
my $i;
my $j;

The functions of each variable will be discussed as they are utilized, but the main variables of interest to those who seek to customize the password complexity filter to suit their respective password policies are the variables that each begin with "$min" since these are used to set the minimum lengths of each password and the minimum amounts of each character type as indicated in the code comments.

The script then seeks to compare the provided password to a list of dictionary words to make sure that none of the passwords contain dictionary words by using the following segment of code:

$passwd=join(" ", @ARGV);

while($word=<WORDS>){
chomp($word);
if($passwd=~/$word/i){
print "Password Contains A Dictionary Word: FAIL \n";
$dc=0;
last;
}
}
if($dc==1){print "Dictionary Check: PASS \n";}

Note that in the variable list above, the variable $dc was set equal to 1, since this variable will serve as our indicator of whether or not the user-provided password contains a dictionary word. The above segment of code loops through each word in the dictionary file and uses case-insensitive regular expression-based pattern matching to determine if the password contains a dictionary word. If the password ($passwd) matches any of the words in the dictionary, the variable $dc is set to 0 and a failure warning printed to STDOUT. If $dc remains equal to 1, a pass message is displayed.

The next check is a straightforward password length check, wherein the length of the password is compared to the minimum required password length ($len), as demonstrated below:

if(length($passwd)<$len){
print "Password Is Too Short: FAIL \n";
}
else{print "Length Check: PASS \n";}

Following this, the script will check to ensure the password contains at least the minimum number of upper and lower case characters, numbers, and special characters by using the following code segments:

while($passwd=~/\d/g){
$count=$count+1;
}
if($count<$minnum){
print "Password Does Not Contain $minnum Number(s): FAIL  \n";
}
else{print "Contains Number Check: PASS \n";}

$count=0;

while($passwd=~/[a-z]/g){
$count=$count+1;
}
if($count<$minlow){
print "Password Does Not Contain $minlow Lowercase Letter(s): FAIL \n";
}
else{print "Contains Lowercase Letter Check: PASS \n";}

$count=0;

while($passwd=~/[A-Z]/g){
$count=$count+1;
}
if($count<$minup){
print "Password Does Not Contain $minup Uppercase Letter(s): FAIL \n";
}
else{print "Contains Uppercase Letter Check: PASS \n";}

$count=0;

while($passwd=~/!|"|#|\$|%|&|'|\(|\)|\*|\+|,|-|\.|\/|:|;|<|=|>|\?|@|\[|\\|]|\^|_|`|\{|\||}|~/g){
$count=$count+1;
}
if($count<$minspec){
print "Password Does Not Contain $minspec Special Character(s): FAIL \n";
}
else{print "Contains Special Character Check: PASS \n";}

In each case, the script counts the number of times the character type of interest appears by making use of global pattern matching (/g), and comparing this count to the specified minimums. One thing to keep in mind is that not all software platforms support the full range of special characters listed here, so that particular regular expression may require some editing. If that's the case, be sure to pay attention to which special characters are metacharacters and keep them prefixed with a backslash to ensure proper compilation and functionality. A sample output using the checks discussed so far can be seen in Figure 1.

Figure 1: "password123" tested against the complexity filter. It is properly detected as a dictionary word and its character composition is correctly assessed.

At this point we have one remaining check to complete and that is the check to see if the entered password is just a minor modification of a dictionary word, which is carried out as shown below:

if($dc==1){
seek(WORDS, 0, SEEK_SET);
my $length=length($passwd);

for($i=0;$i<=$length-1;$i++){
pos($passwd)=0;
while($passwd=~/(\w)/gc){
$char=$1;
$stringpos=pos($passwd)-1;
if($stringpos==$i){
$FuzzyStrings[$i]=$FuzzyStrings[$i] . '.';
}
else{
$FuzzyStrings[$i]=$FuzzyStrings[$i] . $char;
}
}
if($i==0){
$regexp=$FuzzyStrings[$i];
}
else{
$regexp=$regexp . '|' . $FuzzyStrings[$i];
}
}
while($word=<WORDS>){
chomp($word);
if($word=~/$regexp/i){
print "Password Contains A Dictionary Word with Minor Substitution: FAIL \n";
$dc=0;
last;
}
}
if($dc==1){print "Dictionary Word with Minor Substitution Check: PASS \n";}
}

This check will only run if the earlier dictionary check did not find the password to be an exact dictionary word ($dc==1). It initially sets the dictionary word file back to its starting point and computes the length of the password. A nested set of loops and conditional statements is then used to create an array of @FuzzyStrings in which each character within the password is individually sequentially replaced with the "." character. "." is a special character within Perl regular expressions that can be used to match any other character. The result of this nested control structure yields a regular expression that is stored in the $regexp variable, such that a password "abc" would be turned into the regular expression ".bc|a.c|ab.". This means that a password that consists of a substitution of a dictionary word at any single position, to any type of character, will match the created regular expression. Once this regular expression is created, it's then matched against every word in the dictionary list to determine if the password is just a minor variant of any dictionary word (see Figure2). The fuzziness of the regular expression can also be readily enhanced by using quantifiers in conjunction with the ".", as the presence of quantifiers would allow for more than single character substitutions to be discovered. In particular the presence of a quantifier may be desirable for when the first and last character positions are ".", since this will allow for the detection of a partial word being appended to some additional characters.

Figure 2: Demonstration of how the password complexity filter picks up "pas$word" as being a dictionary word with a minor substitution.

Conclusion
This above script illustrates various techniques that can be used to create password complexity filters for use in verifying that existing passwords comply with an organization's password complexity requirements (see Figure 3). Moreover, this script can be run in its current command-line form or readily modified into a CGI application to provide a Web-based interface for making use of the programs functionality. As such, the article and example script should provide a useful foundation for developers and system administrators to improve password policy compliance within their organization.

Figure 3: A password that passes all checks.

More Stories By Christopher Frenz

Christopher Frenz is the author of "Visual Basic and Visual Basic .NET for Scientists and Engineers" (Apress) and "Pro Perl Parsing" (Apress). He is a faculty member in the Department of Computer Engineering at the New York City College of Technology (CUNY), where he performs computational biology and machine learning research.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at Internet of @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, will discuss how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money! Speaker Bio: Esmeralda Swartz, CMO of MetraTech, has spent 16 years as a marketing, product management, and busin...
Samsung VP Jacopo Lenzi, who headed the company's recent SmartThings acquisition under the auspices of Samsung's Open Innovaction Center (OIC), answered a few questions we had about the deal. This interview was in conjunction with our interview with SmartThings CEO Alex Hawkinson. IoT Journal: SmartThings was developed in an open, standards-agnostic platform, and will now be part of Samsung's Open Innovation Center. Can you elaborate on your commitment to keep the platform open? Jacopo Lenzi: Samsung recognizes that true, accelerated innovation cannot be driven from one source, but requires a...
SYS-CON Events announced today that Red Hat, the world's leading provider of open source solutions, will exhibit at Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Red Hat is the world's leading provider of open source software solutions, using a community-powered approach to reliable and high-performing cloud, Linux, middleware, storage and virtualization technologies. Red Hat also offers award-winning support, training, and consulting services. As the connective hub in a global network of enterprises, partners, a...
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at Internet of @ThingsExpo, Robin Raymond, Chief Architect at Hookflash Inc., will walk through the shifting landscape of traditional telephone a...
SYS-CON Events announced today that Matrix.org has been named “Silver Sponsor” of Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Matrix is an ambitious new open standard for open, distributed, real-time communication over IP. It defines a new approach for interoperable Instant Messaging and VoIP based on pragmatic HTTP APIs and WebRTC, and provides open source reference implementations to showcase and bootstrap the new standard. Our focus is on simplicity, security, and supporting the fullest feature set.
BSQUARE is a global leader of embedded software solutions. We enable smart connected systems at the device level and beyond that millions use every day and provide actionable data solutions for the growing Internet of Things (IoT) market. We empower our world-class customers with our products, services and solutions to achieve innovation and success. For more information, visit www.bsquare.com.
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic • Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it’s a mix of architectural style...
SYS-CON Events announced today that SOA Software, an API management leader, will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. SOA Software is a leading provider of API Management and SOA Governance products that equip business to deliver APIs and SOA together to drive their company to meet its business strategy quickly and effectively. SOA Software’s technology helps businesses to accelerate their digital channels with APIs, drive partner adoption, monetize their assets, and achieve a...
From a software development perspective IoT is about programming "things," about connecting them with each other or integrating them with existing applications. In his session at @ThingsExpo, Yakov Fain, co-founder of Farata Systems and SuranceBay, will show you how small IoT-enabled devices from multiple manufacturers can be integrated into the workflow of an enterprise application. This is a practical demo of building a framework and components in HTML/Java/Mobile technologies to serve as a platform that can integrate new devices as they become available on the market.
SYS-CON Events announced today that Utimaco will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Utimaco is a leading manufacturer of hardware based security solutions that provide the root of trust to keep cryptographic keys safe, secure critical digital infrastructures and protect high value data assets. Only Utimaco delivers a general-purpose hardware security module (HSM) as a customizable platform to easily integrate into existing software solutions, embed business logic and build s...
Connected devices are changing the way we go about our everyday life, from wearables to driverless cars, to smart grids and entire industries revolutionizing business opportunities through smart objects, capable of two-way communication. But what happens when objects are given an IP-address, and we rely on that connection, sometimes with our lives? How do we secure those vast data infrastructures and safe-keep the privacy of sensitive information? This session will outline how each and every connected device can uphold a core root of trust via a unique cryptographic signature – a “bir...
Internet of @ThingsExpo Silicon Valley announced on Thursday its first 12 all-star speakers and sessions for its upcoming event, which will take place November 4-6, 2014, at the Santa Clara Convention Center in California. @ThingsExpo, the first and largest IoT event in the world, debuted at the Javits Center in New York City in June 10-12, 2014 with over 6,000 delegates attending the conference. Among the first 12 announced world class speakers, IBM will present two highly popular IoT sessions, which will take place November 4-6, 2014 at the Santa Clara Convention Center in Santa Clara, Calif...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at Internet of @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, will discuss how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.

SUNNYVALE, Calif., Oct. 20, 2014 /PRNewswire/ -- Spansion Inc. (NYSE: CODE), a global leader in embedded systems, today added 96 new products to the Spansion® FM4 Family of flexible microcontrollers (MCUs). Based on the ARM® Cortex®-M4F core, the new MCUs boast a 200 MHz operating frequency and support a diverse set of on-chip peripherals for enhanced human machine interfaces (HMIs) and machine-to-machine (M2M) communications. The rich set of periphera...

SYS-CON Events announced today that Aria Systems, the recurring revenue expert, has been named "Bronze Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Aria Systems helps leading businesses connect their customers with the products and services they love. Industry leaders like Pitney Bowes, Experian, AAA NCNU, VMware, HootSuite and many others choose Aria to power their recurring revenue business and deliver exceptional experiences to their customers.
The Internet of Things (IoT) is going to require a new way of thinking and of developing software for speed, security and innovation. This requires IT leaders to balance business as usual while anticipating for the next market and technology trends. Cloud provides the right IT asset portfolio to help today’s IT leaders manage the old and prepare for the new. Today the cloud conversation is evolving from private and public to hybrid. This session will provide use cases and insights to reinforce the value of the network in helping organizations to maximize their company’s cloud experience.
The Internet of Things (IoT) is making everything it touches smarter – smart devices, smart cars and smart cities. And lucky us, we’re just beginning to reap the benefits as we work toward a networked society. However, this technology-driven innovation is impacting more than just individuals. The IoT has an environmental impact as well, which brings us to the theme of this month’s #IoTuesday Twitter chat. The ability to remove inefficiencies through connected objects is driving change throughout every sector, including waste management. BigBelly Solar, located just outside of Boston, is trans...
SYS-CON Events announced today that Matrix.org has been named “Silver Sponsor” of Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Matrix is an ambitious new open standard for open, distributed, real-time communication over IP. It defines a new approach for interoperable Instant Messaging and VoIP based on pragmatic HTTP APIs and WebRTC, and provides open source reference implementations to showcase and bootstrap the new standard. Our focus is on simplicity, security, and supporting the fullest feature set.
Predicted by Gartner to add $1.9 trillion to the global economy by 2020, the Internet of Everything (IoE) is based on the idea that devices, systems and services will connect in simple, transparent ways, enabling seamless interactions among devices across brands and sectors. As this vision unfolds, it is clear that no single company can accomplish the level of interoperability required to support the horizontal aspects of the IoE. The AllSeen Alliance, announced in December 2013, was formed with the goal to advance IoE adoption and innovation in the connected home, healthcare, education, aut...