DEV Community

loading...

Discussion on: 3 password REGEX for your next project

Collapse
ricobrase profile image
Rico Brase

Well. There are different types of attacks.
Others have provided sufficient details, but I feel obliged to answer your questions (I don't want others to do ALL the work. ;-) )

Dictionary attacks:

The attacker has a list of possible words (e.g. from a dictionary of common words, hence the name) like "password", "helloworld", "sugar", or "development", which they will try on a users account. Complex passwords can provide better security, since the attacker would need "sugar" as well as different varieties (e.g. "5ug4r") of a word in his dictionary. Note, that common substitutions (e.g. a 5 for a s, a 4 for an a) might already be included in such dictionary attacks.

"regular" bruteforce:

The attacker generates a possible password (either randomly or following a scheme, e.g. "aaaa", "aaab", "aaac", etc.). Here, a complex password just won't necessarily result in a security increase, it heavily depends on the attack itself. If the attacker tries all lowercase combinations before trying combinations with uppercase letters, numbers and special characters, an all lowercase password of low length (less than 15 characters) WILL be definitely less secure than a more complex password of the same length.
If the plattform hosting the user account RESTRICTS the users from using uppercase letters, numbers and special characters for their passwords, the attacker can remove these combinations from his attack, heavily reducing the amount of guesses (and therefore the needed time) to crack the users password.


Best practise - User POV

As a user, the best way to handle passwords would be either to

1) Use a password safe and use a unique, randomly generated password with sufficient length (at least 20 characters!) with maximum complexity for each service

or

2) Use a password-less authentication method like WebAuthn.

Best practise - Developer POV

As a developer, you should provide this on your platform for maximum security:

1) Enforce passwords of maximum entropy (complexity AND length).
1a) Since it's unrealistic, users would all conform to User POV 1 (password manager with generated, safe passwords), you should at least enforce LONG passwords. Chaining known words is at least more memorable for the user and will potentially provide more secure passwords due to increased length (using 4-5 words might already result in passwords with at least 20 characters).

2) Provide standardized password-less authentication methods like WebAuthn (usage according to caniuse.com: 86% globally). Using a Public/Private-Key authentication, your users will be better protected against other types of attacks, not mentioned here, e.g. phishing (getting the users passwords by leading your users to a malicious site, designed to look indistinguishable from your site).