For the record, I posted someone else's strength testing algorithm, and pointed out that it was bad 😊 I personally don't think building strength testing algorithms is hopeless, and I think good ones are very useful. I tend to agree with the current NIST recommendation, which is to primarily only consider length, along with things like history, dictionary words, and reuse.
But in this case, the public is at risk if the key is compromised, so I don't trust a password chosen by an end user, no matter what strength function it may or may not pass. Some form of random password of sufficient length, with the randomness coming from a CSPRNG, encoded into a more user friendly form, is the right answer here. -Tim > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of Ryan > Hurst via dev-security-policy > Sent: Friday, May 4, 2018 5:19 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key > generation to policy) > > > > True, but CAs can put technical constraints on that to limit the acceptable > passwords to a certain strength. (hopefully with a better strength-testing > algorithm than the example Tim gave earlier) > > Tim is the best of us -- this is hard to do well :) > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/B4EQCI- > M91W3VFdrYnu8NKa6AWUA0Oca9gCvph6YNAo=?d=1AFyDzj7qs0LPt1qH7YZK > X7VDlKTG3u4_pF-smh1LdxQUjK6Fx2ySSFy5RdxazxX- > o23v3NFfmxRdpLUwPqiW6yozAgZPzuSbInOcX3x3V3ANyskgECX5k4aeBDO0z1u > RHJpH- > Wb5WOBjb0n16kco9wf4jRlCIO7HgEH4pMHjx4H_POUivn493OPB7U9RX8BArU > 5U87OFuHYndlG0UK-XvQOKqKu6t_3fatFfevp7IT8Jzm4Ze- > xwk8jgsytRsxvWQ561mB9wFaxsYkiFLZMBHmsNDACgJKZxHouitR-aXhUbxF- > fKeFXogKbfDCYiYLqHOe5i8KyS8AzFNsUaZTDGJisXeUJbui5n9H3tF5berZe0DuntP > V7a9yad9- > haeyu7NspHh92Niu71JNcWZks3gkKolxwuU9vUfZCdfiIIhMHniPOMkCkMl0ooM > gbRFl0gnAgmiNcKuIizRC9Z35_snt4pKSXAU12MQLeTdYFZMGmKYEDTvkB2L_So > 3AZHYfUXATSUeQQlo1zSRKZ5Mapw%3D%3D&u=https%3A%2F%2Flists.mozilla > .org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
