> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Ulrich Windl > Sent: Friday, December 18, 2009 3:24 PM > To: [email protected] > Subject: RE: minimum password length check > > On 18 Dec 2009 at 1:13, [email protected] wrote: > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:open- > [email protected]] > > > On Behalf Of Ulrich Windl > > > Sent: Wednesday, December 16, 2009 1:08 PM > > > To: [email protected] > > > Subject: Re: minimum password length check > > > > > > On 15 Dec 2009 at 22:47, [email protected] wrote: > > > > > > > From the spec: > > > > " > > > > CHAP secrets MUST be an integral number of bytes (octets). A > > > > compliant implementation SHOULD NOT continue with the login > step > > > in > > > > which it should send a CHAP response (CHAP_R, Section 11.1.4 > > > > Challenge Handshake Authentication Protocol (CHAP)) unless it > can > > > > verify that the CHAP secret is at least 96 bits, or that IPsec > > > > encryption is being used to protect the connection. > > > > " > > > > > > You picked up an "interesting" issue: The Microsoft Initiator > limits > > > the length of > > > the secret to 16 characters (AFAIR). I wrote a lottle program that > > > generates > > > random secrets and estimated the entropy (i.e. number of bits): > > > > > > With 16 random letters, you are at about 92 bits (e.g. > > mMPuhxfKAYuIFTjZ) > > > With 16 random letters with digits you are at about 95 bits (e.g. > > > b3v4B8mRoiFWjpF9) > > > > > > > What algorithm are you using to arrive at this ... > > > > Googling(and some of my information theory lit..) almost always hints > me > > to shannon's theorem to find the randomness of a character string ... > > As pointed out before, this is the randomness of a string the program > creates > itself. So if you unly use the set {A,B,C,D} that two bits per randomly > chosen > element. Then a ten-character string will have 10*2=20 bits of entropy. > More > complex scenarios are similar. > > Now if you have the String "ABCD" its randomness will actually vary, > depending on > the range of characters chosen. For the full alphabet an 'A' will have > more > significant bits than in the example above. > > IMHO that's the problem: If you don't know the range being used, you > cannot guess > the entropy. Of course you can try to derive the range from the string > being seen, > but that's just a guess. > > Likewise, when considering "December" as a password, it's true entropy > is much > less once you know that the range of passwords are only month names. > (And so on) > > > > > Check this > > http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html > > Yes that's the basics, but you never know how randomly the user picked > it's > characters. Obviously this wasn't very random, even though a program > might think > so: > qwertzuiop > > Regards, > Ulrich > P.S: Off-topic, isn't it? >
I am increasing also beginning to infer both through discussions here and(internally) that fixing a minimum randomness for a password is not right in the open-iscsi I guess this discussion might just offer some insight into the randomness of a password for a user to set. This can't just be imposed on an implementation verbatim. So, if there were an implementation "Must" and a deployment "Must", this falls under the latter. I guess the 16 character guideline in the Microsoft initiator is more of a guideline so that users can remember them and not write them in post-its to compromise the secret further ... :) -Shyam -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
