[Owasp-board] [GPC] OWASP Secure Password Project Proposal

Paulo Coimbra paulo.coimbra at owasp.org
Thu Nov 18 19:08:24 UTC 2010


All,

 

I thank you, Jason, for stepping in. Having into account your feedback, I
propose we wait a bit to see if both Loredana and Josh & his team agree.

 

Thanks,

- Paulo

 

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of Jason
Li
Sent: quinta-feira, 18 de Novembro de 2010 18:57
To: Paulo Coimbra
Cc: Josh Sokol; loredana.mancini at business-e.it; Genung Gregory; James
Wickett; Global Projects Committee; Ben Broussard; matt.tesauro at owasp.org;
OWASP Foundation Board List
Subject: Re: [GPC] OWASP Secure Password Project Proposal

 

Paulo,

 

Thank you for bringing this to everyone's attention. We have a very large
portfolio of projects that we still need to get a handle on.

 

I looked into the PASSWD working session that Loredana refers to and it
appears that this initiative was to create metrics and standards related to
security (and presumably about passwords although this is not actually
stated in the session goals).

 

As such, I believe the the similarity between these to projects is only in
the name. The Secure Password project as proposed by Josh and his team
appears to be to create a repository of common passwords and generation
strategies and moving this data into a large rainbow table.

 

I see a lot of potential synergy between the two projects in that the
results of the Secure Password project can be used as evidence to support
why we need stronger secure authentication controls. As you point out, the
PASSWD project has not moved beyond their initial query for information, but
when it does begin, I personally am not concerned about potential overlap.

 

-Jason

 

On Thu, Nov 18, 2010 at 3:30 PM, Paulo Coimbra <paulo.coimbra at owasp.org>
wrote:

All, GPC,

 

We have received, roughly a month ago, on November the 7th, a contact from
Loredana Mancini, above copied, signalling the intention of 'restarting' an
OWASP Project that Lucilla Mancini and Massimo Biagiotti had tried to create
without success in 2008 under the name OWASP PASSWD.

 

>From what I can understand, the projects to be led respectively by Loredana
and Josh Sokol seem to have scopes somewhat coincidental. Also, Loredana has
firstly pointed out her intention to lead work in the Passwords field but
haven't as of yet answered back our call to send us off the info required to
set the project up and, on the contrary, the team led by Josh has already
sent every needed data.

 

Therefore, given the scenario above described, and before proposing you any
action plan, I ask you all how do you think we should proceed. 

 

Thanks,

- Paulo

 

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
Jason Li
Sent: quinta-feira, 18 de Novembro de 2010 16:52
To: Josh Sokol
Cc: Genung Gregory; James Wickett; Global Projects Committee; Ben Broussard;
matt.tesauro at owasp.org
Subject: Re: [GPC] OWASP Secure Password Project Proposal

 

Josh,

 

Thanks for the well thought out project proposal!

 

Your project sounds like it has great potential - my only note is to ensure
that your project license choice is consistent with the open source
requirement of all OWASP projects.

 

As I see Matt is one of your major project contributors, I'm sure he's kept
you in line :)

 

Please let us know if the GPC can be of any assistance.

 

Paulo - can you make sure to take this information and create the necessary
project infrastrucutre (mailing list, wiki page, etc)? Thanks!

 

-Jason

 

On Thu, Nov 18, 2010 at 2:03 PM, Josh Sokol <josh.sokol at ni.com> wrote:

OWASP Global Projects Committee, 

The Austin OWASP Chapter has been thinking for the past year about ideas on
how we can do a chapter project that would give back to OWASP and the AppSec
community at large.  I believe we finally have an idea that is worth
submitting for your official review as an OWASP Project: 

Project Name: OWASP Secure Password Project 

Project Purpose / Overview: 

The majority of the world's authentication systems rely on a single-factor
authentication mechanism: the password.  A simple internet search yields
thousands of pages dedicated to the topic of creating a secure password, but
almost all of them are inherently flawed in that they recommend using either
joining pieces of known information to compile a secure password or
variations of character conversion schemes on commonly known words and
phrases.  The inherent problem with this approach is that if the pieces are
known, then it is fairly trivial to compute the variations that compile the
whole password. 

This project will have a two pronged approach designed to put more nails in
the single-factor method of authentication.  First, we will create an
interactive portal where penetration testers are able to enter known
information about the target.  This known information can then be broken
down and converted to create a large downloadable dictionary list that has
been customized to the target.  This list will be added to a comprehensive
standard dictionary with the character conversions performed on that as
well.  The result would be a large list of commonly used passwords,
dictionary words, target specific passwords, and various derivitives of each
which should cover the vast majority of passwords used today. 

The second prong of our approach will be to capture the results of all data
collected into a large database.  This data will be hashed with common
hashing methods to create what will become the world's largest rainbow
tables.  A user can provide us with a hash and we can do a lookup against
these tables to search for matching entries.  The goal here is to put a stop
to unsalted password hashes for authentication. 

Project Roadmap: 

The initial roadmap will be based on the number of project contributors
which is yet to be determined.  Our goal would be to have a very rough
architecture within the first three months of 2011, some initial POC coding
done by the end of June 2011, and a beta version ready to show off by the
end of December 2011. 

Project Links: None 

Project License: TBD 

Project Leader Name: Josh Sokol 

Project Leader E-mail: josh.sokol at owasp.org 

Project Leader Wiki Account: jsokol 

Project Contributors: James Wickett, Matt Tesauro, Ben Broussard, Greg
Genung, and others TBD 

Project Main Links: None

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20101118/d56dc643/attachment-0002.html>


More information about the Owasp-board mailing list