Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100329125226.GA30615@openwall.com>
Date: Mon, 29 Mar 2010 16:52:26 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] passwdqc 1.2.1; C/R algorithms

Hi,

This is to announce two minor items at once:

1. passwdqc 1.2.1 is out:

http://www.openwall.com/passwdqc/

In this version, a password strength check has been adjusted to no
longer subject certain passwords that start with a digit and/or end with
a capital letter to an unintentionally stricter policy.

Those interested in more detail about this change may refer to the
verbose commit message and maybe the code changes here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/passwdqc_check.c?only_with_tag=PASSWDQC_1_2_1

2. I've published a couple of enhanced challenge/response authentication
algorithms that I came up with while working on popa3d 10+ years ago:

http://openwall.info/wiki/people/solar/algorithms/challenge-response-authentication

The goal was to address the major drawback of existing simple C/R
schemes such as APOP and CRAM-MD5 (where these would require storage of
plaintext passwords or of plaintext-equivalents on the server, thereby
possibly making the setup less secure than it would be with simple
password authentication not involving C/R), yet not go all the way for
public-key crypto (stay simple).  This goal was achieved, although the
algorithms do have certain limitations.  They didn't fit in the existing
C/R exchanges supported in POP3 and in its existing extensions, hence
they never made it into popa3d.

Please feel free to reuse these.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.