4

If we have to write a password generator, is it a good idea to contain a "keyboard-based sequence" checker? So if the generated password is: 

asdf4%'Q!76342

Then this password will be rejected by the generator, and it generates another, because of the "asdf".

Question: Is it a good idea to remove the passwords that has "keyboard-based sequences" in them? Or it will just produce passwords that can be statistically broken, since we know that the passwords will not have "asdf" in them? Which solution is better?

freaking-good-question
  • 191
  • 5
  • For clarity, are you sticking to only the US Qwerty keyboard layout for exclusion? – Phizes Feb 09 '15 at 20:50
  • QWERTZ, maybe it's easier to attack with a dictionary, if the person uses keyboard-based sequences? hmm.. – freaking-good-question Feb 09 '15 at 21:00
  • possible duplicate of [Are passwords comprised of key sequences on a keyboard any less secure than the same characters but jumbled up?](http://security.stackexchange.com/questions/80120/are-passwords-comprised-of-key-sequences-on-a-keyboard-any-less-secure-than-the) – schroeder Feb 09 '15 at 22:29
  • Bad idea. There's a reason why passwords (and keys) should be generated from a good random source; if you can predict the RNG (or at least, know what it *won't* output) you can reduce your search space when bruteforcing and thus break the key faster. –  Feb 10 '15 at 20:50

3 Answers3

4

I would say yes. @Philipp does make some good points, but how many passwords would actually fall out if you remove keyword based sequences? Probably not enough to make any real difference (depending on how you actually filter, of course).

The probability that such a password is generated is (probably) incredibly low (so another question is if it's actually worth the work to implement such a filter), but if it actually does happen, it would be quite bad, because then that generated password is easy to guess, which is exactly what you want to avoid with generated passwords.

When you do filter, the length of the keyboard based sequence that you filter should be in some reasonable proportion to the password length. So if you generate passwords of lenght 15, filtering out asd is probably not a good idea (because asd in a long password doesn't lead to easily guessable passwords, but you would actually exclude a rather wide range of passwords). I would probably exclude the password if it contains a sequence of length of about password.length - 4 (4 additional characters to a sequence seem enough to avoid simple bruteforce).

If you do filter the generated passwords, I would also filter against a list of common passwords (you really don't want your password generator to generate 123456 or password1).

tim
  • 29,122
  • 7
  • 96
  • 120
  • This looks like a pretty good compromise to me. You don't want to accidentally generate passwords that might turn up in a wordlist, but the odds against doing so are so astronomically low that you're probably fine ignoring the possibility altogether. – KnightOfNi Feb 09 '15 at 21:34
3

A good security scheme assumes that the attacker knows how you generate your passwords.

When the attacker knows that your algorithm will never generate certain passwords, it won't have to check these, which reduces the workload they need to invest to brute-force. So it would be counter-productive to have such a restriction in your generator.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • Actually, I disagree on this. A good "counter-example", what if the generator generates "qwerty" - if you let that one through, then that particular password would be very easily cracked. I would say removing key sequences would only reduce the workload of brute forcing very minimally, and the benefit of removing insecure key sequence passwords is worth the effort. – Jonathan Jan 02 '19 at 18:15
0

One thought might be to try to crack the passwords that are generated with one or more password cracking tools to ensure they are strong. If the tool can crack it, generate a new password. This should weed out many auto-generated insecure passwords, including key sequences and dictionary words. A problem with this is that it may require too much computing power to run the check depending on how many users are creating new passwords.

Jonathan
  • 3,157
  • 4
  • 26
  • 42