| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Aug 2013 22:38:39 +0100
From: Peter Maxwell <peter@...icient.co.uk>
To: discussions@...sword-hashing.net
Subject: Minimal security estimates or guarantees for password hash parameter sets?
Following Dennis Hamilton's thread, "Interdependence of t_cost and m_cost
parameters", I had a thought: it is worthwhile specifying a "security
estimate" or "security guarantee" for various parameter sets in an
algorithm's submission?
We know:
i. from sample password data sets, we now have a large corpus of
statistical information on historical general user password choice, i.e. a
distribution showing density of user passwords by various complexity
measures; and,
ii. a good idea of how much computing power an attacker can bring to bear
for a certain cost, or at least a reasonable estimate thereof.
It should not be overly difficult[*] for algorithm designers to specify for
each of a limited number of parameter sets a security estimate/guarantee of
the form, "using this set of parameters, roughly x% of passwords would be
cracked by an attacker with £y to spend". Yes, I know that the example
statement I've supplied is really a parametric curve, but you get the jist
-- supplying the developer that's going to use the password hash with
something more concrete to go on.
[*] - with some initial assumptions, of course
As long as it is not too onerous a requirement, the designer could
potentially specify a minimal password complexity requirement that the
target systems must implement to firm-up the estimate.
Anyway, just a thought.
Peter
Content of type "text/html" skipped
Powered by blists - more mailing lists