[OWASP_PHPSEC] Second Library - Password Management
rahul chaudhary
rahul300chaudhary400 at gmail.com
Wed May 29 08:41:05 UTC 2013
hmm..makes sense....its an indication that I must sleep now..:P .... but I
get your point now...and I realize where I was thinking wrong...let me
study the jframwork's code more closely...I will get back to
you...thanks....
On Wed, May 29, 2013 at 4:34 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Thats actually a terrible idea!
> We are not making an application, we are making a library. Maybe its used
> in a nuclear authentications system, and they require very strong
> passwords, and it may be used for a mobile online game, where they require
> very weak passwords.
>
> We have to provide the infrastructure. Password length, has nothing to do
> with anything. As mentioned before, four thousand As are the same as three
> As in the case of entropy, though it is more unlikely that an attacker
> tries that one.
>
> We should provide two functions (as seen in jframework), one to calculate
> password strength, and one to generate password with some estimated
> strength, and let the developers force their required strength upon their
> users.
>
> Its a good idea to include special characters and lower, upper, numbers
> into strength calculation, and also weighting them, but it should not be
> the main idea.
>
> Thanks
> -Abbas
>
> On ۸ خرداد ۱۳۹۲, at ۱۲:۵۹, rahul chaudhary <rahul300chaudhary400 at gmail.com>
> wrote:
>
> HOw about this:
>
> we say that minimum length is 8 characters...and two special characters
> are mandatory...then I assign weight to characters such as small-case
> alphabets gets 1 point...capital get 2 points and special gets 3
> points...so now I can define a minimum weight. say the password is
> "@!br|Err", then the weight would be:
>
> 3special * 3 + 4small * 1 + 1large * 2 = 15...this way we can define a min
> weight that must be satisfied...
>
> In this we can also introduce entropy so that someone can't keep a
> password such as "@@@@****"....so we can define a min entropy that must be
> satisfied...
>
> and then we can also put "pattern recognition" on top of it...
>
>
> On Wed, May 29, 2013 at 4:25 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Keep the conversations in the mailing list, for further reference please.
>>
>> Actually jframework currently has all of them, but needs more generic
>> pattern detection.
>> -Abbas
>>
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> ok...quite challenging...so if I can modify the jframwork's function and
>> include these things...will that be ok??
>>
>>
>> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Exactly. Checking password length is not very useful, but checking
>>> entropy is.
>>> On top of that, we need to detect patterns, such as 123456. 123456 has 6
>>> byte entropy, but from an attacker's perspective, its just one guess!
>>> -Abbas
>>>
>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>> I also in a hurry didn't explained myself nicely. Here is what I meant
>>> to say. With a given string we need to find the probability with which it
>>> can be predicted i.e on prediction the entropy must be high i.e it must be
>>> more random.
>>>
>>> Now if in a string of length 200, and 90% of them are 'a', then it
>>> becomes easy for the attacker to guess that password. Hence the entropy is
>>> low.
>>>
>>> So we need to find entropy of each string to check its randomness....the
>>> higher the value of entropy, the better for us...
>>>
>>> am I correct ?
>>>
>>>
>>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> Hi,
>>>> No entropy is not like that.
>>>> Let me make a few examples:
>>>> If you have a string with two thousand A's concatenated, and you gzip
>>>> it, you get 8 bits of result.
>>>> If you have a string with two thousand A's and two thousand B's, you
>>>> gzip it, you get 16 bits.
>>>> Now if you have AAABBB and gzip it, you also get 16 bit.
>>>> They both have the same entropy, they are essentially the same
>>>> information, but the second one is expanded.
>>>>
>>>> Entropy is the number of bits, and theoretically speaking, no zipping
>>>> algorithm can compress the data lower than the data's entropy.
>>>> -Abbas
>>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>> > yeah..I just saw it before you sent me the message. The log formula
>>>> that you have used here is the entropy calculator function right?
>>>> >
>>>> > So this whole function won't change...maybe I am not understanding it
>>>> correctly. My understanding is that entropy is how much info you gain. So
>>>> with a string, you get some value between 0 and 1 and then you use this
>>>> value. Right?
>>>> >
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>
--
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/b18fab1c/attachment-0001.html>
More information about the OWASP_PHP_Security_Project
mailing list