[OWASP_PHPSEC] Second Library - Password Management

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed May 29 08:33:24 UTC 2013


Because entropy alone cannot determine randomness...consider a password
"abridge"...it has all different characters...the entropy would be
high...but it is susceptible to dictionary attacks....


On Wed, May 29, 2013 at 4:29 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> HOw about this:
>
> we say that minimum length is 8 characters...and two special characters
> are mandatory...then I assign weight to characters such as small-case
> alphabets gets 1 point...capital get 2 points and special gets 3
> points...so now I can define a minimum weight. say the password is
> "@!br|Err", then the weight would be:
>
> 3special * 3 + 4small * 1 + 1large * 2 = 15...this way we can define a min
> weight that must be satisfied...
>
> In this we can also introduce entropy so that someone can't keep a
> password such as "@@@@****"....so we can define a min entropy that must be
> satisfied...
>
> and then we can also put "pattern recognition" on top of it...
>
>
> On Wed, May 29, 2013 at 4:25 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Keep the conversations in the mailing list, for further reference please.
>>
>> Actually jframework currently has all of them, but needs more generic
>> pattern detection.
>> -Abbas
>>
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> ok...quite challenging...so if I can modify the jframwork's function and
>> include these things...will that be ok??
>>
>>
>> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Exactly. Checking password length is not very useful, but checking
>>> entropy is.
>>> On top of that, we need to detect patterns, such as 123456. 123456 has 6
>>> byte entropy, but from an attacker's perspective, its just one guess!
>>> -Abbas
>>>
>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>> I also in a hurry didn't explained myself nicely. Here is what I meant
>>> to say. With a given string we need to find the probability with which it
>>> can be predicted i.e on prediction the entropy must be high i.e it must be
>>> more random.
>>>
>>> Now if in a string of length 200, and 90% of them are 'a', then it
>>> becomes easy for the attacker to guess that password. Hence the entropy is
>>> low.
>>>
>>> So we need to find entropy of each string to check its randomness....the
>>> higher the value of entropy, the better for us...
>>>
>>> am I correct ?
>>>
>>>
>>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> Hi,
>>>> No entropy is not like that.
>>>> Let me make a few examples:
>>>> If you have a string with two thousand A's concatenated, and you gzip
>>>> it, you get 8 bits of result.
>>>> If you have a string with two thousand A's and two thousand B's, you
>>>> gzip it, you get 16 bits.
>>>> Now if you have AAABBB and gzip it, you also get 16 bit.
>>>> They both have the same entropy, they are essentially the same
>>>> information, but the second one is expanded.
>>>>
>>>> Entropy is the number of bits, and theoretically speaking, no zipping
>>>> algorithm can compress the data lower than the data's entropy.
>>>> -Abbas
>>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>> > yeah..I just saw it before you sent me the message. The log formula
>>>> that you have used here is the entropy calculator function right?
>>>> >
>>>> > So this whole function won't change...maybe I am not understanding it
>>>> correctly. My understanding is that entropy is how much info you gain. So
>>>> with a string, you get some value between 0 and 1 and then you use this
>>>> value. Right?
>>>> >
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>



-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/c9b6acfc/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list