[Cryptography] Password rules and salt ... or not
John Denker
jsd at av8n.com
Sun May 21 10:56:05 EDT 2017
Responding first to the Subject line:
*) It seems to me that there are fundamental problems with how
passphrases are used, problems that cannot be solved by the use
of salt, traditional password rules, and/or nontraditional
password rules.
-- Defending the traditional approach by saying "all the kids are
doing it" is not acceptable. I tried that on my mother when I
was five years old and it didn't work.
-- Zero-knowledge passphrase proofs mean that the server never
sees the passphrase at all. Implementations are available:
https://www.ietf.org/rfc/rfc5054.txt
http://srp.stanford.edu/
-- If you need temporary compatibility with an existing passphrase
database, it is trivial to interpose an agent that uses the
passphrase to create a zero-knowledge verifier. This should be
very temporary. It should be the first step on a mandatory
migration path.
(Note that I use the term passphrase to include
one-word passphrases, i.e. passwords.)
On 05/19/2017 10:31 AM, Peter Capek wrote:
> any string is valid as a password, as long as it
> has never been used before
In addition to being impossible to implement, it does not do
the job, not even in principle. There are lots of passphrases
that have never been used before that are nevertheless insecure.
As Snowden put it: Assume your adversary is capable of one
trillion guesses per second.
Let's be clear: The #1 necessary condition is being hard to
guess. That is not the same as being previously unused.
> Aside from the cost of implementing and using a
> database to enforce this rule, ......
Any thought that begins with "Aside from the cost" is not
going to end well.
> It would be best to keep the DB secret, of course,
That's equivalent to saying that it's a security problem.
It's one more thing to go wrong. That's the last thing
we need.
====================
Passphrase construction is as much a human factors issue as
it is a mathematical cryptography issue ... and should be
treated as such.
Being hard to guess is one requirement. Being easy to
remember is another. This creates a dilemma, because
a passphrase that is hard to guess will likely be hard
to remember, especially if it is infrequently used.
This dilemma is exacerbated by the fact that users visit
multiple sites. Re-using the same passphrase is a disaster
waiting to happen, if the sites store things in the
old-fashioned way.
Zero-knowledge passphrase proofs escape this dilemma. You
can safely have one master passphrase. This has several
advantages, including the fact that the passphrase is more
frequently used, and therefore less likely to be forgotten.
This is a situation where the best strategy is to put multiple
eggs in one basket, and then vigorously defend that basket.
Birds have been following this strategy for more than a
hundred million years.
In this forum there have been several long discussions of
how to manage and/or migrate password databases, none of
which make sense to me. I leave it as a question:
Why not just migrate to zero-knowledge password
proofs and be done with it?
More information about the cryptography
mailing list