On 18 Dec 2009 at 1:13, shyam_i...@dell.com wrote: > > > > -----Original Message----- > > From: open-iscsi@googlegroups.com [mailto:open-is...@googlegroups.com] > > On Behalf Of Ulrich Windl > > Sent: Wednesday, December 16, 2009 1:08 PM > > To: open-iscsi@googlegroups.com > > Subject: Re: minimum password length check > > > > On 15 Dec 2009 at 22:47, shyam_i...@dell.com wrote: > > > > > From the spec: > > > " > > > CHAP secrets MUST be an integral number of bytes (octets). A > > > compliant implementation SHOULD NOT continue with the login step > > in > > > which it should send a CHAP response (CHAP_R, Section 11.1.4 > > > Challenge Handshake Authentication Protocol (CHAP)) unless it can > > > verify that the CHAP secret is at least 96 bits, or that IPsec > > > encryption is being used to protect the connection. > > > " > > > > You picked up an "interesting" issue: The Microsoft Initiator limits > > the length of > > the secret to 16 characters (AFAIR). I wrote a lottle program that > > generates > > random secrets and estimated the entropy (i.e. number of bits): > > > > With 16 random letters, you are at about 92 bits (e.g. > mMPuhxfKAYuIFTjZ) > > With 16 random letters with digits you are at about 95 bits (e.g. > > b3v4B8mRoiFWjpF9) > > > > What algorithm are you using to arrive at this ... > > Googling(and some of my information theory lit..) almost always hints me > to shannon's theorem to find the randomness of a character string ...

As pointed out before, this is the randomness of a string the program creates itself. So if you unly use the set {A,B,C,D} that two bits per randomly chosen element. Then a ten-character string will have 10*2=20 bits of entropy. More complex scenarios are similar. Now if you have the String "ABCD" its randomness will actually vary, depending on the range of characters chosen. For the full alphabet an 'A' will have more significant bits than in the example above. IMHO that's the problem: If you don't know the range being used, you cannot guess the entropy. Of course you can try to derive the range from the string being seen, but that's just a guess. Likewise, when considering "December" as a password, it's true entropy is much less once you know that the range of passwords are only month names. (And so on) > > Check this > http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html Yes that's the basics, but you never know how randomly the user picked it's characters. Obviously this wasn't very random, even though a program might think so: qwertzuiop Regards, Ulrich P.S: Off-topic, isn't it? -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to open-is...@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.