Date: Mon, 29 Mar 2010 16:52:26 +0400 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] passwdqc 1.2.1; C/R algorithms Hi, This is to announce two minor items at once: 1. passwdqc 1.2.1 is out: http://www.openwall.com/passwdqc/ In this version, a password strength check has been adjusted to no longer subject certain passwords that start with a digit and/or end with a capital letter to an unintentionally stricter policy. Those interested in more detail about this change may refer to the verbose commit message and maybe the code changes here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/passwdqc_check.c?only_with_tag=PASSWDQC_1_2_1 2. I've published a couple of enhanced challenge/response authentication algorithms that I came up with while working on popa3d 10+ years ago: http://openwall.info/wiki/people/solar/algorithms/challenge-response-authentication The goal was to address the major drawback of existing simple C/R schemes such as APOP and CRAM-MD5 (where these would require storage of plaintext passwords or of plaintext-equivalents on the server, thereby possibly making the setup less secure than it would be with simple password authentication not involving C/R), yet not go all the way for public-key crypto (stay simple). This goal was achieved, although the algorithms do have certain limitations. They didn't fit in the existing C/R exchanges supported in POP3 and in its existing extensions, hence they never made it into popa3d. Please feel free to reuse these. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.