Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171029213221.GA2936@openwall.com>
Date: Sun, 29 Oct 2017 22:32:21 +0100
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Real world password policies

Arnold,

You must have been reading my thoughts.

On Sun, Oct 29, 2017 at 03:39:07PM -0400, Arnold Reinhold wrote:
> 1. As suggested earlier in this thread, exclude the user's login name, email address, and other personal info that can be easily scraped from public social media and the like from the length calculation. (I would credit each as one letter)

Earlier in this thread, I oversimplified and said passwdqc removes such
substrings, but actually in 2010 I made a commit to "Partially discount
rather than fully remove weak substrings."  (That's the commit message.)
There's no point in removing them fully when a too-short substring of
such a substring wouldn't have triggered the weak substring detection
yet.  Moreover, that would be inconsistent and confusing - would result
in cases when a longer password (with a substring above the detection
threshold) fails the policy check, but a similar shorter one (with a
similar substring truncated to be just below the threshold) passes the
check.  Thus, such substrings just need to be given as much credit as a
just below the threshold substring would be, but not fully removed.

> 2.  Require a password that doesn't crack easily.
[...]
> such testing can be done quite efficiently using a Bloom filter.

That's my tentative plan for passwdqc 2.0.  Not so much for processing
and shipping a password cracker output, although that can be done, but
rather to take advantage of the recent (and not so recent) availability
of large password leaks, widespread acceptance of their use for the
purpose, and to be consistent with the new NIST guidelines.

The 320 million SHA-1 hashes of leaked passwords (without even
re-cracking them first, although folks did that) from
https://haveibeenpwned.com/Passwords would comfortably fit in an
8 GiB Bloom filter with negligible false positive rate and nearly
instant checks.

Of course, actually installing this Bloom filter on a system will be
optional, or a differently-sized one could be installed.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.