| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0dd1d27446134b36aeae7590e4111369@BY2PR03MB074.namprd03.prod.outlook.com> Date: Mon, 27 Jan 2014 19:19:46 +0000 From: Marsh Ray <maray@...rosoft.com> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>, Peter Maxwell <peter@...icient.co.uk> Subject: RE: [PHC] Opinions sought on whether a specific side-channel leakage is ok. From: Krisztián Pintér [mailto:pinterkr@...il.com] > > Peter Maxwell (at Monday, January 27, 2014, 4:20:55 PM): > > Without exposing too much of my intended design, I'd like to garner > > some opinion if that is possible. > > you are not going to file a patent, are you? For the record, similar ideas have been floated before. > > So, lets say we can associate a given password with a scalar password > > complexity measure in the interval [0,1] with an as yet to be defined > > distribution. > > here is my objection, above the obvious leak issue. calculating password strength is difficult. it will be a damn complex > algorithm, supported by tables, many equations and a sizeable dictionary. What is the entropy of 'Pa$$word1'? Or a password for which the hash has been exposed in a data breach and possibly cracked? 'Complexity' might be something that an individual site could define on it's own. But making a standard definition of 'strength' or 'password entropy' seems basically impossible. - Marsh ---------------------------- My own opinions, usual disclaimers apply.
Powered by blists - more mailing lists