[OWASP_PHPSEC] Second Library - Password Management
rahul300chaudhary400 at gmail.com
Wed May 29 08:41:05 UTC 2013
hmm..makes sense....its an indication that I must sleep now..:P .... but I
get your point now...and I realize where I was thinking wrong...let me
study the jframwork's code more closely...I will get back to
On Wed, May 29, 2013 at 4:34 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Thats actually a terrible idea!
> We are not making an application, we are making a library. Maybe its used
> in a nuclear authentications system, and they require very strong
> passwords, and it may be used for a mobile online game, where they require
> very weak passwords.
> We have to provide the infrastructure. Password length, has nothing to do
> with anything. As mentioned before, four thousand As are the same as three
> As in the case of entropy, though it is more unlikely that an attacker
> tries that one.
> We should provide two functions (as seen in jframework), one to calculate
> password strength, and one to generate password with some estimated
> strength, and let the developers force their required strength upon their
> Its a good idea to include special characters and lower, upper, numbers
> into strength calculation, and also weighting them, but it should not be
> the main idea.
> On ۸ خرداد ۱۳۹۲, at ۱۲:۵۹, rahul chaudhary <rahul300chaudhary400 at gmail.com>
> HOw about this:
> we say that minimum length is 8 characters...and two special characters
> are mandatory...then I assign weight to characters such as small-case
> alphabets gets 1 point...capital get 2 points and special gets 3
> points...so now I can define a minimum weight. say the password is
> "@!br|Err", then the weight would be:
> 3special * 3 + 4small * 1 + 1large * 2 = 15...this way we can define a min
> weight that must be satisfied...
> In this we can also introduce entropy so that someone can't keep a
> password such as "@@@@****"....so we can define a min entropy that must be
> and then we can also put "pattern recognition" on top of it...
> On Wed, May 29, 2013 at 4:25 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Keep the conversations in the mailing list, for further reference please.
>> Actually jframework currently has all of them, but needs more generic
>> pattern detection.
>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۵, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>> ok...quite challenging...so if I can modify the jframwork's function and
>> include these things...will that be ok??
>> On Wed, May 29, 2013 at 4:14 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Exactly. Checking password length is not very useful, but checking
>>> entropy is.
>>> On top of that, we need to detect patterns, such as 123456. 123456 has 6
>>> byte entropy, but from an attacker's perspective, its just one guess!
>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۴۰, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>> I also in a hurry didn't explained myself nicely. Here is what I meant
>>> to say. With a given string we need to find the probability with which it
>>> can be predicted i.e on prediction the entropy must be high i.e it must be
>>> more random.
>>> Now if in a string of length 200, and 90% of them are 'a', then it
>>> becomes easy for the attacker to guess that password. Hence the entropy is
>>> So we need to find entropy of each string to check its randomness....the
>>> higher the value of entropy, the better for us...
>>> am I correct ?
>>> On Wed, May 29, 2013 at 4:04 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>> No entropy is not like that.
>>>> Let me make a few examples:
>>>> If you have a string with two thousand A's concatenated, and you gzip
>>>> it, you get 8 bits of result.
>>>> If you have a string with two thousand A's and two thousand B's, you
>>>> gzip it, you get 16 bits.
>>>> Now if you have AAABBB and gzip it, you also get 16 bit.
>>>> They both have the same entropy, they are essentially the same
>>>> information, but the second one is expanded.
>>>> Entropy is the number of bits, and theoretically speaking, no zipping
>>>> algorithm can compress the data lower than the data's entropy.
>>>> On ۸ خرداد ۱۳۹۲, at ۱۲:۲۶, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>> > yeah..I just saw it before you sent me the message. The log formula
>>>> that you have used here is the entropy calculator function right?
>>>> > So this whole function won't change...maybe I am not understanding it
>>>> correctly. My understanding is that entropy is how much info you gain. So
>>>> with a string, you get some value between 0 and 1 and then you use this
>>>> value. Right?
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> Rahul Chaudhary
>> Ph - 412-519-9634
> Rahul Chaudhary
> Ph - 412-519-9634
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project