Boolean Logic

Security is a big topic nowadays and more and more programmers want to add security features to their applications, and one way to do that is to require passwords to be used to access the application or documents.  However, wherever you put a password people will diminish the security offered by it by inputting and using what are, in effect, ineffective passwords.

An ineffective password is a password that is either easily guessed or easily defeated by using a brute-force attack using a program that is capable of trying out hundreds of thousands of passwords a second in order to find the right one.

To try to make things more secure one action you can take is to enforce certain criteria on the password to make it more secure.  This might not be popular with all users but it will make their data or access to the application a lot more secure.

In order to do this the programmer needs to know what makes a strong password and what makes a weak one.

A robust, strong password contains all of the following:

  • Seven or more characters (the longer, the better)
  • Uppercase and lowercase letters
  • Numerals
  • Symbols (at least one of which in the second through sixth position)
  • At least four different characters (no repeats)
  • Looks like a sequence of random letters and numbers

A totally robust password must not contain any of the following:

  • Any part of your logon name
  • Any portion of your previous password (hard to enforce this one)
  • Actual words or names in any language
  • Numbers that are used in place of similar letters, such as "8" for "B" or "5" for "S"
  • Consecutive letters, such as "abcdefg" or "ZYXWVUT"
  • Consecutive numbers, such as "567890"
  • Adjacent keys on your keyboard, such as "qwerty" or "ASDFGH"

Here are other tips for strong passwords:

  • Do not allow an option to show the password in plain text when typing it in
  • Enforce the regular changing of the password
  • Never store a password in plain text anywhere (consider MD5 hash of the password a minimum)
  • Flush all password buffers or variables immediately

Adrian Kingsley-Hughes
Last updated: May 4th 2004
Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!"); ?>

Contact Us