> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Ulrich Windl
> Sent: Wednesday, December 16, 2009 1:08 PM
> To: [email protected]
> Subject: Re: minimum password length check
>
> On 15 Dec 2009 at 22:47, [email protected] wrote:
>
> > From the spec:
> > "
> > CHAP secrets MUST be an integral number of bytes (octets). A
> > compliant implementation SHOULD NOT continue with the login step
> in
> > which it should send a CHAP response (CHAP_R, Section 11.1.4
> > Challenge Handshake Authentication Protocol (CHAP)) unless it can
> > verify that the CHAP secret is at least 96 bits, or that IPsec
> > encryption is being used to protect the connection.
> > "
>
> You picked up an "interesting" issue: The Microsoft Initiator limits
> the length of
> the secret to 16 characters (AFAIR). I wrote a lottle program that
> generates
> random secrets and estimated the entropy (i.e. number of bits):
>
> With 16 random letters, you are at about 92 bits (e.g.
mMPuhxfKAYuIFTjZ)
> With 16 random letters with digits you are at about 95 bits (e.g.
> b3v4B8mRoiFWjpF9)
>
> The bad thing is that some characters look quite similar so users,
like
> '0'
> and'O', or '1' and 'l'. When trying to omit those potentially
confusing
> characters
> (plus adding other punctuation characters, leaving out space for
> obvious reasons),
> I'm at about 83 bits (e.g. u\FphNwuuWCT74+h).
>
> As a side note: Passwords with only six letters in one case only make
> about 28
> bits. Now if you think that most users will use words, you can guess
> how poor
> those passwords actually are.
>
> Using the fully printable ASCII characterset without those characters
> that are
> considered "unsafe" in UNIX, 16 characters would have about 102 bits
of
> entropy
> (e.g. !)Zbl(p7%Hd88L>T)
>
> >
> > The spec suggests that a chap secret be at least 96bits or (12
> > characters) but I see that only the AUTH_STR_MAX_LEN of 256
> characters
> > is used for error checking.
>
> Even when just using digits, that would be 850 bits of entropy,
> probably enough ;-
> )
>
> Regards,
> Ulrich
>
> >
> > Am I reading this correctly ?
> >
> > -Shyam Iyer
> >
> > --
> >
> > You received this message because you are subscribed to the Google
> Groups "open-iscsi" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to open-
> [email protected].
> > For more options, visit this group at
> http://groups.google.com/group/open-iscsi?hl=en.
> >
> >
>
Essentially what you are saying is that we haven't implemented the
secret's bit randomness calculation to check if has atleast 96bits of
entropy.
So I guess we should do some thing like this ....
If (check_96bit_entropy(<secret>) && secret < AUTH_MAX_STR_LEN) {
Use_secret ....
}
else {
Secret not strong enough ..throw error...
}
--
You received this message because you are subscribed to the Google Groups
"open-iscsi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/open-iscsi?hl=en.
