Professional ASP.NET Security - Jeff Ferguson
||Professional ASP.NET Security
||Imagine a hypothetical system that is protected by a numerical password. Users must enter the
password in order to access the system. Assuming the malicious user does not find a way to steal the
password, they will have to guess the correct password in order to access the system.
If our password has only one digit, a malicious user has a 1 in 10 chance to guess the password on their
first attempt and will only need 10 guesses to try every possible password. It is pretty obvious that we
cannot call this secure.
If our password has 2 digits, there will be 100 possible passwords. This means that a malicious user has
a 1 in 100 chance of guessing the password correctly on their first chance. If we allow multiple chances
to enter the correct password, the chance will improve with each new guess (assuming the attacker has
the sense not to enter duplicate passwords). So, on the second guess, their chance is 1 in 99, and on the
third guess, their chance is 1 in 98, and so on.
If we allow unlimited guesses, the attacker will definitely get the right password within 100 guesses. They
will probably get the right password much sooner than that. I think we would all agree that we should not
call this a secure system.
There are two obvious ways to make this system more secure (that is, to reduce the chances that the
correct password can be guessed). Firstly, we can limit the number of guessing users may make.
Secondly, we can increase the number of potential passwords.
If we set a limit of three attempts to enter the right password (as is common with ATMs, for example),
the chances that our two-digit password will be guessed are much reduced. Here's some math that shows
the chance of guessing the password in the first three attempts.