Android, General, Java, Online, Windows

More specific character restrictions

August 4th, 2010 | Comment?

Recently, the following comment was made in the Android Market for Cryptnos for Android:

Works as described, but I can’t select required parameters like: must be 6-8 characters, contain at least 2 letters and 2 numbers.

I look upon this as a feature request, even though the commenter did not formally ask. That said, I thought this was also a great opportunity to showcase Cryptnos’ flexibility and demonstrate how a “missing feature” isn’t necessarily missing after all.

First and foremost, let me say one thing: the length restriction is technically a non-issue. Cryptnos does have a Length Restriction field (“Use only the first x characters” in Cryptnos for Windows). If a minimum and maximum length is set by the service you wish to authenticate with, simply set the Length Restriction field to the maximum value (in this case, eight) and that requirement should be met. Whenever you have a character length range requirement for a password, always go for the longest password you possibly can as this will be inherently more resistant to brute-force attacks. Each character you add exponentially increases the complexity and thus time to attack. Cryptnos will be doing the work of “remembering” the password for you, so aiming for the minimum length of a password compromises your security for no valid reason.

However, there is nothing in Cryptnos to enforce rules for more detailed character requirements, aside from the general options listed under Character Restrictions. In other words, there is no way to specify “at least 2 letters and 2 numbers”. For this specific example, this is also likely not an issue; Cryptnos passwords are Base64-encoded data, so it is statistically unlikely that a password will be generated with zero or one of these specific character classes. Likewise, Base64 data is mixed case, so it is unlikely that a password would be generated with only one case (i.e. all lowercase or all uppercase); mixed-case passwords are another common requirement like this. There are two symbols in Base64 (in our case, the plus sign and forward slash), which may statistically be less likely to appear than alphanumerics, but it is still unlikely that an eight-character password wouldn’t contain at least one.

This is, of course, easy enough to work around without modifying the application. If a specific combination of site token and master password does not meet these requirements, slightly changing one or the other will generate a vastly different password that probably will. Choosing the most inclusive Character Restriction setting (“All generated characters”) will ensure the greatest likelihood of meeting the requirement. If you feel strongly about the site token and master password used, incrementing the Hash Iterations setting will generate something new that is also very probable to meet the requirement. Since site token, character restrictions, and hash iterations are all saved with your parameter data, only changes to the master password require extra effort on the part of the user. As a last resort, of course, nowhere is it stated that you can’t modify your generated password manually before actually using it; on the contrary, we actually suggest that in the FAQ. You can always substitute a zero for a letter O, or a four for an A, etc.

Still, I look at this comment as a request and I’ll treat it as such. This will be a complex one, because it would require logic, UI, storage, and import/export changes. It would also require changes to all versions of Cryptnos for the applications to remain in sync. I’ll have to think about whether or not to implement this one. If you’d like to share your thoughts, you may either comment on this post or comment on the associated issue on the Cryptnos for Android Google Code site.

Tags: , , , , ,


You can skip to the end and leave a response. Pinging is currently not allowed.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

You must be logged in to post a comment.