> -----Original Message----- > From: open-iscsi@googlegroups.com [mailto:open-is...@googlegroups.com] > On Behalf Of Ulrich Windl > Sent: Wednesday, December 16, 2009 1:08 PM > To: open-iscsi@googlegroups.com > Subject: Re: minimum password length check > > On 15 Dec 2009 at 22:47, shyam_i...@dell.com wrote: > > > From the spec: > > " > > CHAP secrets MUST be an integral number of bytes (octets). A > > compliant implementation SHOULD NOT continue with the login step > in > > which it should send a CHAP response (CHAP_R, Section 11.1.4 > > Challenge Handshake Authentication Protocol (CHAP)) unless it can > > verify that the CHAP secret is at least 96 bits, or that IPsec > > encryption is being used to protect the connection. > > " > > You picked up an "interesting" issue: The Microsoft Initiator limits > the length of > the secret to 16 characters (AFAIR). I wrote a lottle program that > generates > random secrets and estimated the entropy (i.e. number of bits): > > With 16 random letters, you are at about 92 bits (e.g. mMPuhxfKAYuIFTjZ) > With 16 random letters with digits you are at about 95 bits (e.g. > b3v4B8mRoiFWjpF9) > > The bad thing is that some characters look quite similar so users, like > '0' > and'O', or '1' and 'l'. When trying to omit those potentially confusing > characters > (plus adding other punctuation characters, leaving out space for > obvious reasons), > I'm at about 83 bits (e.g. u\FphNwuuWCT74+h). > > As a side note: Passwords with only six letters in one case only make > about 28 > bits. Now if you think that most users will use words, you can guess > how poor > those passwords actually are. > > Using the fully printable ASCII characterset without those characters > that are > considered "unsafe" in UNIX, 16 characters would have about 102 bits of > entropy > (e.g. !)Zbl(p7%Hd88L>T) > > > > > The spec suggests that a chap secret be at least 96bits or (12 > > characters) but I see that only the AUTH_STR_MAX_LEN of 256 > characters > > is used for error checking. > > Even when just using digits, that would be 850 bits of entropy, > probably enough ;- > ) > > Regards, > Ulrich > > > > > Am I reading this correctly ? > > > > -Shyam Iyer > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "open-iscsi" group. > > To post to this group, send email to open-is...@googlegroups.com. > > To unsubscribe from this group, send email to open- > iscsi+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/open-iscsi?hl=en. > > > > >
Essentially what you are saying is that we haven't implemented the secret's bit randomness calculation to check if has atleast 96bits of entropy. So I guess we should do some thing like this .... If (check_96bit_entropy(<secret>) && secret < AUTH_MAX_STR_LEN) { Use_secret .... } else { Secret not strong enough ..throw error... } -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to open-is...@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.