Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 3 Sep 2016 22:39:23 -0500
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Authentication process

*«what do you mean "strength"?»*

Refusing certain passwords judged too weak ("123456", "password",
"rockyou", etc.)

*«are you fighting against memorability?»*

Not fighting it.  Just saying that memorability = pattern = lack of
randomness.  A user-defined password will always lead to this.  For
example, if you give someone a random password, it is only random if the
user accepts it as is.  If there is a button he can click to produce
another one until he's satisfied with the one he gets, then it's not random.

*«why do you concentrate on brute force guessing?*

*do you discard all intelligently designed dictionaries?*
*why?»*

User-defined passwords could never be trusted (to be hard to guess) because
they will never be random, thus rules can be made for dictionary attacks.
If passwords are truly random, these attacks are just simply ineffective.

*«_ONES_ have entropy of exactly ZERO.**»*

By 'ones' I was referring to 'truly random passwords'.

*«**by the definition of entropy.*

*(look it up, by the way)*
*ANY password has zero entropy.»*

I'm not sure about the definition of password entropy you are referring to,
but you can find mine on Wikipedia
<https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength>.
Per that definition, the best defense against a brute force attack is
higher entropy, which should deter any attacker to even try guessing a
password.  But for this to work, passwords must be chosen in a truly random
fashion.

*«**you have destroyed any appeal to entropy (just *
*few lines above, without my help) by showing how a password creation *
*procedure is UNRELATED to a password guessing procedure.**»*

The point I'm trying to make is that they are related.  If a user defines a
rule to create a password to help him remember it (consciously or not),
therefore an attacker can define the same rule to help him guessing that
same password.  Thus, that rule the user defines destroys drastically the
password entropy.  For example, if I ask you to guess the 10-digit number I
have in my head, we can be here all night.  But if you know that I usually
choose the same digit 10 times to make up my number because it is easier to
remember, within at most 10 trials you will guess my number.

*«somebody impolitely and arrogantly claimed that EVERYBODY on the list is
well informed about irrelevance of the entropy to the password guessing
problem.*
*care to take your words and insults back?»*

I don't understand.  Are you referring to me? I didn't claim such thing,
especially that it is my first time here and I don't know anyone, so how
would I judge them?

All I wanted, was to have some feedback about this login process I created
<https://github.com/maherbo/easy-random-password-login>.  Do you think it
would help against attackers trying to steal passwords or login into an
account; whether they do it online or they steal the database and try to
guess the passwords?  Do you think I introduced other weaknesses that are
no better (or worse) than the ones I try to defeat (i.e. steal user's
passwords)?  Do you think the login process is not enough user-friendly?

On Sat, Sep 3, 2016 at 8:09 PM, e@...tmx.net <e@...tmx.net> wrote:

> 'Complexity' is the rules that are required for passwords such as
>> minimum length, lower & upper cases, digits and special characters.
>>
>
> so "complexity" == "password policy"
> noted.
>
>
> More and more passwords have to pass a 'strength' test before being
>> accepted (ex.: blacklist)
>>
>
> what do you mean "strength"?
>
>
> With 'trusted' I refer to the fact that no matter how you will restrict
>> the password that are allowed, people will always find some sort of
>> pattern to help memorizing it.
>>
>
> are you fighting against memorability?
>
>
> it seems that we think so much alike that we will all
>> choose the exact same next pattern available
>>
>
> sounds plausible, Matt Weir made this point very clear with tangible data.
>
>
> Thus my comment, "user-defined passwords could never be trusted" and
>> only truly random passwords should be used,
>>
>
> non-sequitur.
>
>
> But there are not
>> user-friendly, especially ones with enough entropy
>>
>
> _ONES_ have entropy of exactly ZERO.
> by the definition of entropy.
> (look it up, by the way)
> ANY password has zero entropy.
>
> also worth noticing that you have destroyed any appeal to entropy (just
> few lines above, without my help) by showing how a password creation
> procedure is UNRELATED to a password guessing procedure.
>
>
> brute force attacks of powerful machines.
>>
>
> why do you concentrate on brute force guessing?
> do you discard all intelligently designed dictionaries?
> why?
>
>
> P.S.
> i understand by "trust" you mean "accept" am i right?
>
> PS/2
> somebody impolitely and arrogantly claimed that EVERYBODY on the list is
> well informed about irrelevance of the entropy to the password guessing
> problem.
> care to take your words and insults back?
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.