Support Multi-Word Passwords

Discuss general development subjects that are not specific to a particular version like the versioning control system we use or other infrastructure.
kjtocool
Registered User
Posts: 24
Joined: Sun Feb 26, 2006 6:52 pm

Support Multi-Word Passwords

Post by kjtocool »

I think phpbb should move to support multi-word passwords. A simple shift would make it exponentially harder for passwords to be compromised. Even the best passwords ($dfk289@*1%) aren't anywhere near as strong as a multi-word password (blue funny dog barks). Even better would be a password + multi-word phrase option which hashes the two together.

I'd like to see phpbb support both implementations, allowing administrators to make the end decision. Thoughts?
Image

User avatar
canonknipser
Registered User
Posts: 71
Joined: Mon Sep 19, 2011 4:42 am
Location: Germany

Re: Support Multi-Word Passwords

Post by canonknipser »

kjtocool wrote:I'd like to see phpbb support both implementations
it is no separate implementation, Its just another password (better name would be passphrase) rule including a whitespace as allowed character ...
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB

kjtocool
Registered User
Posts: 24
Joined: Sun Feb 26, 2006 6:52 pm

Re: Support Multi-Word Passwords

Post by kjtocool »

From a UI perspective, my ideal scenario would be:

1) You use the regular password, it looks as it does currently.

2) You use the multi-word password, there are four input fields for each word.

3) You use the combination option, there is an input field labeled "Password", and then four input fields labeled "Phrase" or something similar.


I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.
Image

User avatar
canonknipser
Registered User
Posts: 71
Joined: Mon Sep 19, 2011 4:42 am
Location: Germany

Re: Support Multi-Word Passwords

Post by canonknipser »

kjtocool wrote:I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.
From a users perspective (mine, not yours ;) ), it makes it more complicated - all UIs i know tell me to enter my username (one entry-field) and a self-choosen passphrase (another entry-field) and maybe a captcha (a third entry-field).
Having more than one field for the passphrase would it make much more complicate. Why is phpBB asking me for more than one word? How many letters have i to put in each field? How many words do i have to enter?

From programmers perspective, its much more complicated:
allowing a passphrase with whitespace, i have only to check:
are all types of letters entered?
did the user enter a passphrase long enough?

Having more than one entry field, i have to check this for each field, and afterwards i have to combine it for calculating the passphrase hash.

Whats the difference between "blue funny dog barks" and "blue" "funny" "dog" "barks"?
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB

kjtocool
Registered User
Posts: 24
Joined: Sun Feb 26, 2006 6:52 pm

Re: Support Multi-Word Passwords

Post by kjtocool »

I suppose I feel it is more intuitive.

When the user registers, they'll be prompted for a "pass phrase." How do they know to enter a space? How do you validate they didn't run a word together they meant to keep separate? To me, the easiest and most intuitive solution is to have 4 input boxes under one "Passphrase" heading.

When the user returns to login, they will see four input boxes, which should jog their memory that "oh yeah, this site uses that phrase." And certainly, if you choose to use the combination of a Password + Passphrase, it seems more intuitive to me if the options are distinct in nature: Username, Password, Passphrase. Segmenting it into understandable buckets aids in the recollection, simplifying a more complicated password entry system.

I do agree, it is more challenging from a design perspective.
Image

User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: Support Multi-Word Passwords

Post by callumacrae »

If a user wants a multi-word password, let them. If they don't, let them.

It's fine how it is perfectly.
Made by developers, for developers!
My blog

User avatar
Arty
Former Team Member
Posts: 985
Joined: Wed Mar 06, 2002 2:36 pm
Location: Mars
Contact:

Re: Support Multi-Word Passwords

Post by Arty »

Its already hard enough to deal with websites that require some sort of mix of letters or whatever, so I can't enter my favorite password there, having to remember 2 passwords would be horrible. Such passwords increase chance of user having to write down that password somewhere rather than typing it from memory, increasing chances of it being stolen.

kjtocool
Registered User
Posts: 24
Joined: Sun Feb 26, 2006 6:52 pm

Re: Support Multi-Word Passwords

Post by kjtocool »

Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".
Image

User avatar
canonknipser
Registered User
Posts: 71
Joined: Mon Sep 19, 2011 4:42 am
Location: Germany

Re: Support Multi-Word Passwords

Post by canonknipser »

kjtocool wrote:Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".
But, as long as the passphrase role allows it, you can enter it into one field - why do you want to use four (Or seven? Or ten?) fields for that?

There are a lot of tips outside for using easy-to-remember-but-hard-to-crack-passphrases, like using a sentence as "My dog has four legs and one head" and replacing number words by their numericals, just use the first letters of each word, and reverse the phrase giving: "h1al4hdM" ;)
Greetings
Frank
phpbb.de support team member - no support via PM or mail
English is not my native language
Extensions and scripts for phpBB

kjtocool
Registered User
Posts: 24
Joined: Sun Feb 26, 2006 6:52 pm

Re: Support Multi-Word Passwords

Post by kjtocool »

Because unique fields forces the user to enter a phrase, one field simply allows it. With one field, you can't force an entire forum to follow.
Image

Post Reply