[OWASP_PHPSEC] Second Library - Password Management
rahul300chaudhary400 at gmail.com
Wed May 29 08:29:45 UTC 2013
HOw about this:
we say that minimum length is 8 characters...and two special characters are
mandatory...then I assign weight to characters such as small-case alphabets
gets 1 point...capital get 2 points and special gets 3 points...so now I
can define a minimum weight. say the password is "@!br|Err", then the
weight would be:
3special * 3 + 4small * 1 + 1large * 2 = 15...this way we can define a min
weight that must be satisfied...
In this we can also introduce entropy so that someone can't keep a password
such as "@@@@****"....so we can define a min entropy that must be
and then we can also put "pattern recognition" on top of it...
On Wed, May 29, 2013 at 4:25 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Keep the conversations in the mailing list, for further reference please.
> Actually jframework currently has all of them, but needs more generic
> pattern detection.
> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <rahul300chaudhary400 at gmail.com>
> ok...quite challenging...so if I can modify the jframwork's function and
> include these things...will that be ok??
> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Exactly. Checking password length is not very useful, but checking
>> entropy is.
>> On top of that, we need to detect patterns, such as 123456. 123456 has 6
>> byte entropy, but from an attacker's perspective, its just one guess!
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>> I also in a hurry didn't explained myself nicely. Here is what I meant to
>> say. With a given string we need to find the probability with which it can
>> be predicted i.e on prediction the entropy must be high i.e it must be more
>> Now if in a string of length 200, and 90% of them are 'a', then it
>> becomes easy for the attacker to guess that password. Hence the entropy is
>> So we need to find entropy of each string to check its randomness....the
>> higher the value of entropy, the better for us...
>> am I correct ?
>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> No entropy is not like that.
>>> Let me make a few examples:
>>> If you have a string with two thousand A's concatenated, and you gzip
>>> it, you get 8 bits of result.
>>> If you have a string with two thousand A's and two thousand B's, you
>>> gzip it, you get 16 bits.
>>> Now if you have AAABBB and gzip it, you also get 16 bit.
>>> They both have the same entropy, they are essentially the same
>>> information, but the second one is expanded.
>>> Entropy is the number of bits, and theoretically speaking, no zipping
>>> algorithm can compress the data lower than the data's entropy.
>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>> > yeah..I just saw it before you sent me the message. The log formula
>>> that you have used here is the entropy calculator function right?
>>> > So this whole function won't change...maybe I am not understanding it
>>> correctly. My understanding is that entropy is how much info you gain. So
>>> with a string, you get some value between 0 and 1 and then you use this
>>> value. Right?
>> Rahul Chaudhary
>> Ph - 412-519-9634
> Rahul Chaudhary
> Ph - 412-519-9634
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project