Weak Password Entropy: How to Fix It

TL;DR

Attacks often exploit passwords with low entropy (predictability). This guide shows you how to identify and fix weak password policies, improve randomness in systems, and protect against common attacks.

1. Understanding Password Entropy

Entropy measures the unpredictability of a password. Higher entropy means it’s harder to guess or crack. Low entropy passwords are short, use only lowercase letters, or rely on dictionary words. A good password should be long and include a mix of uppercase letters, lowercase letters, numbers, and symbols.

2. Identifying Weak Password Policies

1. Check Minimum Length: Most systems have a minimum password length requirement. Anything less than 12 characters is generally considered weak.
2. Complexity Requirements: Look for rules enforcing the use of different character types (uppercase, lowercase, numbers, symbols).
3. Password History: A good policy prevents users from reusing recent passwords.
4. Dictionary Checks: Some systems check if a password appears in common dictionary lists or known breached password databases.
5. Regular Audits: Periodically review your password policies to ensure they are still effective and up-to-date.

3. Improving Password Policies

1. Increase Minimum Length: Set a minimum length of 14 characters or more.
2. Enforce Complexity: Require at least three different character types (uppercase, lowercase, numbers, symbols).
3. Implement Password History: Prevent reuse of the last 24 passwords.
4. Use a Password Strength Meter: Integrate a meter that provides real-time feedback to users as they create passwords.
5. Consider Passphrases: Encourage users to use long, memorable passphrases instead of complex passwords.

4. Improving Randomness in Systems

Weak random number generators (RNGs) can be exploited to predict session IDs, tokens, and other security-sensitive values.

1. Use Cryptographically Secure RNGs: Avoid using standard rand() functions. Instead, use libraries specifically designed for cryptography.

   # Python example
   import secrets
   random_token = secrets.token_hex(16) # Generates a random hex string
   

2. Seed RNGs Properly: Ensure your RNG is seeded with sufficient entropy from a reliable source (e.g., /dev/urandom on Linux).
3. Regularly Re-seed: Periodically re-seed the RNG to prevent predictability over time.

5. Protecting Against Common Attacks

1. Brute-Force Attacks: Implement account lockout policies after a certain number of failed login attempts. Use rate limiting on login requests.
2. Dictionary Attacks: Use password hashing algorithms like bcrypt, Argon2, or scrypt with appropriate salt values. These are designed to be slow and make dictionary attacks more difficult.

   # Example using Python's passlib library
   import passlib.hash
   hash = passlib.hash.bcrypt.using(rounds=12)
   pw_hash = hash.encrypt('mysecretpassword')
   

3. Rainbow Table Attacks: Salting passwords makes rainbow table attacks ineffective. Each password should have a unique salt.
4. Credential Stuffing: Monitor for compromised credentials in known data breaches and proactively reset passwords for affected accounts.
5. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security beyond just a password.

6. Tools for Assessing Entropy

Several tools can help you assess the entropy of passwords and systems:

• pwscore: A command-line tool to evaluate password strength.
• Hashcat/John the Ripper: Password cracking tools that can be used to test the strength of your hashing algorithms. (Use responsibly, only on systems you own!)
• Online Entropy Checkers: Websites that allow you to estimate the entropy of a password or string.