[OWASP_PHPSEC] Second Library - Password Management

Abbas Naderi abiusx at owasp.org
Wed May 29 08:34:39 UTC 2013


Thats actually a terrible idea!
We are not making an application, we are making a library. Maybe its used in a nuclear authentications system, and they require very strong passwords, and it may be used for a mobile online game, where they require very weak passwords.

We have to provide the infrastructure. Password length, has nothing to do with anything. As mentioned before, four thousand As are the same as three As in the case of entropy, though it is more unlikely that an attacker tries that one.

We should provide two functions (as seen in jframework), one to calculate password strength, and one to generate password with some estimated strength, and let the developers force their required strength upon their users.

Its a good idea to include special characters and lower, upper, numbers into strength calculation, and also weighting them, but it should not be the main idea. 

Thanks
-Abbas
On ۸ خرداد ۱۳۹۲, at ۱۲:۵۹, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> HOw about this:
> 
> we say that minimum length is 8 characters...and two special characters are mandatory...then I assign weight to characters such as small-case alphabets gets 1 point...capital get 2 points and special gets 3 points...so now I can define a minimum weight. say the password is "@!br|Err", then the weight would be:
> 
> 3special * 3 + 4small * 1 + 1large * 2 = 15...this way we can define a min weight that must be satisfied...
> 
> In this we can also introduce entropy so that someone can't keep a password such as "@@@@****"....so we can define a min entropy that must be satisfied...
> 
> and then we can also put "pattern recognition" on top of it...
> 
> 
> On Wed, May 29, 2013 at 4:25 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Keep the conversations in the mailing list, for further reference please.
> 
> Actually jframework currently has all of them, but needs more generic pattern detection.
> -Abbas
> 
> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> ok...quite challenging...so if I can modify the jframwork's function and include these things...will that be ok??
>> 
>> 
>> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Exactly. Checking password length is not very useful, but checking entropy is.
>> On top of that, we need to detect patterns, such as 123456. 123456 has 6 byte entropy, but from an attacker's perspective, its just one guess!
>> -Abbas
>> 
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> I also in a hurry didn't explained myself nicely. Here is what I meant to say. With a given string we need to find the probability with which it can be predicted i.e on prediction the entropy must be high i.e it must be more random.
>>> 
>>> Now if in a string of length 200, and 90% of them are 'a', then it becomes easy for the attacker to guess that password. Hence the entropy is low.
>>> 
>>> So we need to find entropy of each string to check its randomness....the higher the value of entropy, the better for us...
>>> 
>>> am I correct ?
>>> 
>>> 
>>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Hi,
>>> No entropy is not like that.
>>> Let me make a few examples:
>>> If you have a string with two thousand A's concatenated, and you gzip it, you get 8 bits of result.
>>> If you have a string with two thousand A's and two thousand B's, you gzip it, you get 16 bits.
>>> Now if you have AAABBB and gzip it, you also get 16 bit.
>>> They both have the same entropy, they are essentially the same information, but the second one is expanded.
>>> 
>>> Entropy is the number of bits, and theoretically speaking, no zipping algorithm can compress the data lower than the data's entropy.
>>> -Abbas
>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> 
>>> > yeah..I just saw it before you sent me the message. The log formula that you have used here is the entropy calculator function right?
>>> >
>>> > So this whole function won't change...maybe I am not understanding it correctly. My understanding is that entropy is how much info you gain. So with a string, you get some value between 0 and 1 and then you use this value. Right?
>>> >
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/0a2de787/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list