Sunday, 8 April 2012

How to enforce password complexity on a Hash?

Humm, I'm thinking of ways to add password complexity to TeamMentor, and one interesting dilemma is that current model is based on only hashes being used.

What happens is that we use Sha256 Javascript API to create a client side hash (using the username+password), which is then stored on the server side in the user's xml file.

Since when creating a new account, or changing the password, the real password is never sent to the server. there is no way to check (on the server) how strong that password is :) , right?

Maybe we could have a commonly-used-weak-passwords-mini-rainbow-table on the server to check those hashes against?

It looks like the only thing we can do, is to have client-side GUI checks (i.e. 'password too small', 'you must write it in Klingon', etc...) which can be bypassed by using the public WebServices APIs (also used by the GUI)