[OWASP_PHPSEC] Second Library - Password Management

Abbas Naderi abiusx at owasp.org
Wed May 29 08:25:53 UTC 2013


Keep the conversations in the mailing list, for further reference please.

Actually jframework currently has all of them, but needs more generic pattern detection.
-Abbas
On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> ok...quite challenging...so if I can modify the jframwork's function and include these things...will that be ok??
> 
> 
> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Exactly. Checking password length is not very useful, but checking entropy is.
> On top of that, we need to detect patterns, such as 123456. 123456 has 6 byte entropy, but from an attacker's perspective, its just one guess!
> -Abbas
> 
> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> I also in a hurry didn't explained myself nicely. Here is what I meant to say. With a given string we need to find the probability with which it can be predicted i.e on prediction the entropy must be high i.e it must be more random.
>> 
>> Now if in a string of length 200, and 90% of them are 'a', then it becomes easy for the attacker to guess that password. Hence the entropy is low.
>> 
>> So we need to find entropy of each string to check its randomness....the higher the value of entropy, the better for us...
>> 
>> am I correct ?
>> 
>> 
>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Hi,
>> No entropy is not like that.
>> Let me make a few examples:
>> If you have a string with two thousand A's concatenated, and you gzip it, you get 8 bits of result.
>> If you have a string with two thousand A's and two thousand B's, you gzip it, you get 16 bits.
>> Now if you have AAABBB and gzip it, you also get 16 bit.
>> They both have the same entropy, they are essentially the same information, but the second one is expanded.
>> 
>> Entropy is the number of bits, and theoretically speaking, no zipping algorithm can compress the data lower than the data's entropy.
>> -Abbas
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>> > yeah..I just saw it before you sent me the message. The log formula that you have used here is the entropy calculator function right?
>> >
>> > So this whole function won't change...maybe I am not understanding it correctly. My understanding is that entropy is how much info you gain. So with a string, you get some value between 0 and 1 and then you use this value. Right?
>> >
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/16788753/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list