decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
More recommendations for sites | 248 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
More recommendations for sites
Authored by: DannyB on Wednesday, August 22 2012 @ 03:25 PM EDT
If you are hashing passwords, then there does not need to be any maximum
length.

If you do the hashing on the browser, then the unencrypted password does not
even need to cross the wire -- even when entering your password for the first
time.


---
The price of freedom is eternal litigation.

[ Reply to This | Parent | # ]

More recommendations for sites
Authored by: micheas on Wednesday, August 22 2012 @ 09:38 PM EDT

There are strong and weak areas of common password hashing functions.

The weak area of most of hashing functions is the non- alphanumeric part.

If you are using a hash, you don't need to know the persons password, just any password that generates the correct hash.

This means that passwords longer than the hash probably have a shorter password that also works. (although it is possible that there are hash values that only generated by a series of passwords that are all longer than the hash.)

61MXff1m
sjdTQrXh
JW67egeB
doGnb7rP
TStn3xD3
IBqw MpR8
CY6ofzD6
PzqTt3zz
RQFJN45K
07gtTCC0
xvJ2oHBt
Y7AnPf 5g
CCdaC3an
9edub6o5
nezycjfD
bVhGVDAF

Is a reasonable list of passwords, but it is completely unusable by people. If you put all your passwords in a list and they have less entropy than that list you have a serious issue with your password security. By the way, that list is not an ideally generated list as the seed was only regenerated three times per password on that list, which should give you a clue about how hard it is to generate strong passwords.

I have cracked more than my share of passwords (thousands not millions). and can tell you that the basics will get you though about half the time, and that the use one non-alphanumeric character is built into most good password crackers as a second pass on the dictionary, also enough phishing attacks have succeeded in producing huge lists of passwords that meet all that criteria for a "strong password" that !1oveMom is actually in more than one password dictionary I have.

The number of non-alphanumeric characters that people are actually going to chose probably has less entropy than the list of passwords I posted, as people tend to be fairly predictable creatures that are heavily influenced by our surroundings. This makes most password suggestions designed to increase entropy to actually decrease entropy. For example, forcing a numeric character in an eight character password reduces the search space by 53 trillion assuming that you only allow alphanumeric characters. The reduction is search space is greater if non-alphanumeric characters are allowed. For reference, The standard US keyboard generates 52 alphabetic characters (a-z and A-Z), 32 non-alphanumeric characters (`~!@#$%^&*()_+{}|[];':",./? ), and 10 numeric characters (0- 9). This means that password complexity rules that thwart older dictionary attacks, are still vulnerable to new dictionary attacks, and reduce the effort required to brute force a random password, sometimes by greater than 50% if the rules are poorly chosen.

The moral is that one time passwords and public/private key authentication are really the only viable large scale human involved authentication systemw.

[ Reply to This | Parent | # ]

More recommendations for sites
Authored by: mpellatt on Thursday, August 23 2012 @ 01:10 AM EDT
I'd put money on the ones that don't allow special characters
also being open to SQL injection attacks. Or otherwise not
properly escaping special characters somewhere in their code.

[ Reply to This | Parent | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )