lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jan 2014 19:19:46 +0000
From: Marsh Ray <>
To: "" <>,
	Peter Maxwell <>
Subject: RE: [PHC] Opinions sought on whether a specific side-channel
 leakage is ok.

From: Krisztián Pintér [] 
> Peter Maxwell (at Monday, January 27, 2014, 4:20:55 PM):
> > Without exposing too much of my intended design, I'd like to garner 
> > some opinion if that is possible.
> you are not going to file a patent, are you?

For the record, similar ideas have been floated before.

> > So, lets say we can associate a given password with a scalar password 
> > complexity measure in the interval [0,1] with an as yet to be defined 
> > distribution.
> here is my objection, above the obvious leak issue. calculating password strength is difficult. it will be a damn complex
> algorithm, supported by tables, many equations and a sizeable dictionary.

What is the entropy of 'Pa$$word1'?

Or a password for which the hash has been exposed in a data breach and possibly cracked?

'Complexity' might be something that an individual site could define on it's own. But making a standard definition of 'strength' or 'password entropy' seems basically impossible.

- Marsh

My own opinions, usual disclaimers apply.

Powered by blists - more mailing lists