> -----Original Message-----
> From: open-iscsi@googlegroups.com [mailto:open-is...@googlegroups.com]
> On Behalf Of Ulrich Windl
> Sent: Friday, December 18, 2009 3:24 PM
> To: open-iscsi@googlegroups.com
> Subject: RE: minimum password length check
> 
> On 18 Dec 2009 at 1:13, shyam_i...@dell.com wrote:
> 
> >
> >
> > > -----Original Message-----
> > > From: open-iscsi@googlegroups.com [mailto:open-
> is...@googlegroups.com]
> > > On Behalf Of Ulrich Windl
> > > Sent: Wednesday, December 16, 2009 1:08 PM
> > > To: open-iscsi@googlegroups.com
> > > Subject: Re: minimum password length check
> > >
> > > On 15 Dec 2009 at 22:47, shyam_i...@dell.com wrote:
> > >
> > > > From the spec:
> > > > "
> > > >    CHAP secrets MUST be an integral number of bytes (octets). A
> > > >    compliant implementation SHOULD NOT continue with the login
> step
> > > in
> > > >    which it should send a CHAP response (CHAP_R, Section 11.1.4
> > > >    Challenge Handshake Authentication Protocol (CHAP)) unless it
> can
> > > >    verify that the CHAP secret is at least 96 bits, or that
IPsec
> > > >    encryption is being used to protect the connection.
> > > > "
> > >
> > > You picked up an "interesting" issue: The Microsoft Initiator
> limits
> > > the length of
> > > the secret to 16 characters (AFAIR). I wrote a lottle program that
> > > generates
> > > random secrets and estimated the entropy (i.e. number of bits):
> > >
> > > With 16 random letters, you are at about 92 bits (e.g.
> > mMPuhxfKAYuIFTjZ)
> > > With 16 random letters with digits you are at about 95 bits (e.g.
> > > b3v4B8mRoiFWjpF9)
> > >
> >
> > What algorithm are you using to arrive at this ...
> >
> > Googling(and some of my information theory lit..) almost always
hints
> me
> > to shannon's theorem to find the randomness of a character string
...
> 
> As pointed out before, this is the randomness of a string the program
> creates
> itself. So if you unly use the set {A,B,C,D} that two bits per
randomly
> chosen
> element. Then a ten-character string will have 10*2=20 bits of
entropy.
> More
> complex scenarios are similar.
> 
> Now if you have the String "ABCD" its randomness will actually vary,
> depending on
> the range of characters chosen. For the full alphabet an 'A' will have
> more
> significant bits than in the example above.
> 
> IMHO that's the problem: If you don't know the range being used, you
> cannot guess
> the entropy. Of course you can try to derive the range from the string
> being seen,
> but that's just a guess.
> 
> Likewise, when considering "December" as a password, it's true entropy
> is much
> less once you know that the range of passwords are only month names.
> (And so on)
> 
> >
> > Check this
> > http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html
> 
> Yes that's the basics, but you never know how randomly the user picked
> it's
> characters. Obviously this wasn't very random, even though a program
> might think
> so:
> qwertzuiop
> 
> Regards,
> Ulrich
> P.S: Off-topic, isn't it?
> 

I am increasing also beginning to infer both through discussions here
and(internally) that fixing a minimum randomness for a password is not
right in the open-iscsi 

I guess this discussion might just offer some insight into the
randomness of a password for a user to set.

This can't just be imposed on an implementation verbatim.

So, if there were an implementation "Must" and a deployment "Must", this
falls under the latter.

I guess the 16 character guideline in the Microsoft initiator is more of
a guideline so that users can remember them and not write them in
post-its to compromise the secret further ... :)

-Shyam

--

You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To post to this group, send email to open-is...@googlegroups.com.
To unsubscribe from this group, send email to 
open-iscsi+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/open-iscsi?hl=en.


Reply via email to