DEV Community

Discussion on: Securing Your ASP.NET Application

Collapse
 
jamoyjamie profile image
Jamie Read

There's some interesting research from Microsoft (and I think similar from the UK government) that suggests you should only enforce an 8 character length rather than all the symbols and numbers etc.

There is more explanation out there but from the top of my head it was mainly because people just make simple additions (like adding a '1' at the end) or substitutions (like '0' rather than 'o') which are trivial for password crackers to circumnavigate. They instead suggest checking the password isn't one of the most common ones to stop things like 'password' or 'qwerty' being used.

There's an xkcd comic about it that I'd find if I wasn't on my phone! 🙂

Collapse
 
danieljsummers profile image
Daniel J. Summers

You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.

I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!

Collapse
 
overrideveloper profile image
Banso D. Wisdom

Thanks for the insight Jamie. I just learnt something new.

Collapse
 
t4rzsan profile image
Jakob Christensen • Edited

Thank you for a good writeup.

Yes, better use long passwords than short passwords with digits and symbols. This is probably the xkcd, Jamie Read is referring to:
xkcd.com/936/

Thread Thread
 
overrideveloper profile image
Banso D. Wisdom

Thank You! The xkcd explains greatly.