Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <6710DA41-5D4A-424B-9B4A-05FBD08FE170@goldmark.org>
Date: Tue, 10 May 2016 12:34:50 -0500
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Password-Manager Friendly (PMF) semantic markup

On 2016-05-10, at 2:59 AM, Per Thorsheim <per@...rsheim.net> wrote:

> http://pmfriendly.org/
> 
> First presented by Max Spencer at #passwords14 in Trondheim, I am still
> a fan of this idea.

So am I. This is the kind of thing that we (at AgileBits, the makers of
1Password) have been hoping that someone would develop and get happening.

Taking a look

 http://pmfriendly.org/static/documents/2014-StaSpeJen-pmf.pdf

there are a couple of minor issues that pop up.

The semantics of mustHave is asking for trouble in terms of
misunderstanding. The example

  mustHave: ["upper", "lower", "digit”]

is described as requiring at least one upper, at least one lower, AND
at least one digit. Yet people will want to specify an OR meaning has
well. That is, at least one from the UNION of upper, lower, and digit.

I would like to see a way to express both. But more importantly, whether
the character classes listed in mustHave are meant as AND or OR; someone
is going to get it wrong. Sure the AND meaning might be more natural, but
we should expect that some people will give it the OR meaning.

The other thing is that the proposal should make it clear which base64
character set is meant by “base64”. We might find that in the context in
which PMF is used that base64url is more common.

I cannot speak for resource allocation at AgileBits. We’d love to see
(something) like this. But I don’t anticipate that we can dedicate
resources toward development until I can really convince the powers that
be that our already stretched extension and “brain”[1] team should spend
time on this, no matter how beneficial it will be in the longer run.

So I would love to promise that we will be the first (well, after Pico)
password manager to implement this, but I can’t.

[1]: We refer to the part of 1Password that analyzes a DOM to figure out
what field is what and how to fill them as “the Brain”.

Cheers,

-j

–- 
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.