Comments (4)
Oh, and Randall's minimum of 44 bits of entropy could be cracked in 17592186044416 / 42408000000 = 414.83 seconds.
Oy.
from hsxkpasswd.
I'm very much in two minds about raising the seen entropy threshold.
A few thoughts:
- the seen entropy is an absolute positively worst-case scenario where the attacker not only knows which module you used to generate your password, but what exact settings you used, and what exact dictionary you used. In reality it seems very unlikely all three of those things will be true, so realistically, the attacker will have a lot more permutations to try.
- I chose 52 bits because it's equivalent to an 8 character password, still in line with a lot of password advice (at least for now) - if all hell breaks loose and an attacker knows exactly how you generate your passwords as described above, still having the equivalent of a truly random 8 character password in that extreme scenario seems quite good.
- If I raise it, and it starts warning people too soon, it may put people off what are actually very strong passwords in realistic situations, and drive them back to much worse practices they had before.
- If I raise it, what do I raise it to?
(I made the thresholds configurable, so those who want higher thresholds can configure them as they desire - this can be done in the config file BTW)
I don't have a firm opinion on this, so I'm open to persuasion.
As for adding in cracking times, I can see why it would be appealing, but, it's something I'm just not comfortable doing. For a start, no matter how I calculate them, someone will be on here telling me I'm wrong. Secondly, cracking times are guestimates at best, and the code will constantly need to be updated to reflect new developments. I don't think I want to maintain that kind of code.
The reason I chose entropy and permutations as my stats is that those are measurable quantities. There is no guesswork there, and the number will never change. Those who want to estimate cracking times can use the permutations count and current estimates of cracking speed to get their answer.
from hsxkpasswd.
I always assume worst-case, that the attacker knows exactly which dictionary you used and what settings you used. They just presumably don't know the specific password/phrase entry that you selected from the list that was generated. That's why I like having you provide the "seen entropy", because that is my worst case right there. Even if we don't change the defaults for warning or anything, it would be nice to have the entropy information output by default in all cases, so that people could judge for themselves how far they might want/need to go.
Or, if not output by default in all cases, then give me a configurable option I can set to get that behaviour, and then a good sample configuration file that I could put into my home directory that would automatically get used, if present.
from hsxkpasswd.
As for cracking times, I was assuming we might see a high/medium/low spread, based on configurable defaults. The default might be to not display this information at all, or not display it if the configured speeds are set to zero. Then users could set their own configured hashing speeds, in their configuration file.
from hsxkpasswd.
Related Issues (20)
- Intermittent Problem with Random Numbers HOT 2
- WEB16 preset produces 17 character passwords HOT 1
- Add a flag to command line interface to show preset details HOT 1
- command line tool does not distil configs before validation when using -c HOT 1
- The synopsis at the top of the command line docs is missing --rcfile HOT 1
- Typos HOT 1
- Allow random digits be used as separators
- Allow fixed length password with variable word lengths
- Entropy calculation on website doesn't match tool HOT 1
- Capital word in english dictionary
- Remove insecure random HOT 1
- Add option to specify how often separator characters should repeat
- Add case transform to randomise case of each letter
- password generation with named argument 'dictionary_file' HOT 3
- https://xkpasswd.net/ appears to be outdated?
- After installing MacOS Big Sur I get the error: Can't locate File/HomeDir.pm HOT 4
- xkpasswd.net dictionaries?
- t/02-generate-passwords.t fails with Type-Tiny-2.000001
- dict-file unable to be used
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hsxkpasswd.