[Cryptography] Password rules and salt ... or not

John Denker jsd at av8n.com
Sun May 21 10:56:05 EDT 2017 

Responding first to the Subject line:
 *) It seems to me that there are fundamental problems with how
  passphrases are used, problems that cannot be solved by the use
  of salt, traditional password rules, and/or nontraditional
  password rules.
  -- Defending the traditional approach by saying "all the kids are
   doing it" is not acceptable.  I tried that on my mother when I
   was five years old and it didn't work.
  -- Zero-knowledge passphrase proofs mean that the server never
   sees the passphrase at all.  Implementations are available:
       https://www.ietf.org/rfc/rfc5054.txt
       http://srp.stanford.edu/
  -- If you need temporary compatibility with an existing passphrase
   database, it is trivial to interpose an agent that uses the
   passphrase to create a zero-knowledge verifier.  This should be
   very temporary.  It should be the first step on a mandatory
   migration path.

	(Note that I use the term passphrase to include
	one-word passphrases, i.e. passwords.)

On 05/19/2017 10:31 AM, Peter Capek wrote:

> any string is valid as a password, as long as it
> has never been used before

In addition to being impossible to implement, it does not do
the job, not even in principle.  There are lots of passphrases
that have never been used before that are nevertheless insecure.
As Snowden put it:  Assume your adversary is capable of one
trillion guesses per second.

Let's be clear:  The #1 necessary condition is being hard to
guess.  That is not the same as being previously unused.

> Aside from the cost of implementing and using a
> database to enforce this rule, ......

Any thought that begins with "Aside from the cost" is not
going to end well.

> It would be best to keep the DB secret, of course,

That's equivalent to saying that it's a security problem.
It's one more thing to go wrong.  That's the last thing
we need.

====================

Passphrase construction is as much a human factors issue as
it is a mathematical cryptography issue ... and should be
treated as such.

Being hard to guess is one requirement.  Being easy to
remember is another.  This creates a dilemma, because
a passphrase that is hard to guess will likely be hard
to remember, especially if it is infrequently used.

This dilemma is exacerbated by the fact that users visit
multiple sites.  Re-using the same passphrase is a disaster
waiting to happen, if the sites store things in the
old-fashioned way.

Zero-knowledge passphrase proofs escape this dilemma.  You
can safely have one master passphrase.  This has several
advantages, including the fact that the passphrase is more
frequently used, and therefore less likely to be forgotten.
This is a situation where the best strategy is to put multiple
eggs in one basket, and then vigorously defend that basket.
Birds have been following this strategy for more than a
hundred million years.

In this forum there have been several long discussions of
how to manage and/or migrate password databases, none of
which make sense to me.  I leave it as a question:

  Why not just migrate to zero-knowledge password
  proofs and be done with it?

More information about the cryptography mailing list