Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160619172516.GA23111@openwall.com>
Date: Sun, 19 Jun 2016 20:25:16 +0300
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Am I Overlooking any Practical Attacks?

Sorry for not addressing the actual question, but:

On Sun, Jun 19, 2016 at 03:12:41AM -0400, Scott Arciszewski wrote:
> * Weak passwords are rejected. Weak means a Zxcvbn score < 3 (this
> parameter can be configured). The rejection takes place server-side, but we
> also use zxcvbn.js to give users immediate feedback. Consequently, one of
> the 10,000 most common passwords will be accepted. The password feedback
> messages also strongly encourage the use of password managers.

All of this is probably as it should be.  Zxcvbn is fine and I am not
suggesting switching, but FWIW passwdqc is also usable on both server-
and client-side, the latter due to its port to JavaScript here:

https://github.com/odin-public/passwdqc-js

It does not report a score, but rather a Boolean pass/fail (and a reason
why), but it can be used as a strength meter as well by invoking it with
several policies (e.g., 2 policies to obtain strong/moderate/weak).

I don't know what 10k most common passwords you're referring to, but
passwdqc with default policy does not accept any of RockYou top 10k:

http://openwall.info/wiki/passwdqc/rockyou

It does happen to accept 4 out of RockYou top 30k, but those 4 are:

j4**9c+p
#1hottie
<div><embed src=\
Lets you update your FunNotes and more!

I think it's accidental that they are in RockYou top 30k rather than
further down the list.  Out of these 4, #1hottie is probably the most
likely to be seen elsewhere, but accepting such not too complex
passwords is part of keeping the policy reasonable for the users.
Whether this is an adequate tradeoff or not depends on many aspects,
including the value of individual accounts.  Of course, passwdqc
settings can be tuned such that this password wouldn't be accepted.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.