!srIyAgJwIuSmJbmSzd:pixie.town

Mastodon & Fediverse

1094 Members
joinmastodon.org | fediverse.party | joinpeertube.org | Code of Conduct: +matrixunited:pixie.town232 Servers

Load older messages


SenderMessageTime
25 Feb 2021
@seirdy:envs.netSeirdythe main point was that if your treat model can compute 700 bits of complexity then your threat model is incorrect and you should feel bad22:10:45
@seirdy:envs.netSeirdy* the main point was that if your threat model can compute 700 bits of complexity then your threat model is incorrect and you should feel bad22:10:54
@bkil:matrix.orgbkilmPutting that aside, if I was recommending people to use secure passwords, I could simply point them to generating 384 bit ones and just base32 encode it or such.22:11:20
@bkil:matrix.orgbkilmBut if you want them to really type them in, you need to be clever. If you can't come up with a reasonable recommendation for laypeople, they will make really bad choices on their own.22:11:52
@seirdy:envs.netSeirdyi would have them generate 256 bit ones since it's unlikely that they're using anything stronger than aes-25622:11:56
@bkil:matrix.orgbkilmSure, but the cost on client side is still the same, so it doesn't matter much.22:12:31
@bkil:matrix.orgbkilmHowever, certain sites have an upper bound on character length or some idiotic policy on password complexity22:12:54
@bkil:matrix.orgbkilmNow that's really overdoing it.22:13:00
@seirdy:envs.netSeirdy and yeah having something estimate entropy client-side would be ideal. it shouldn't require any length/chars if the entropy is good 22:13:45
@bkil:matrix.orgbkilmI really miss a better, international version of zxcvbn, so we could enable it for all of our self-hosted services as a condition on registration, along with a few minutes of server side cracking.22:14:10
@bkil:matrix.orgbkilmI was looking real hard some months ago and was really disappointed that we don't really have any well established solution for this (other than hard coding regexp in JS, that is again childish)22:15:15
@seirdy:envs.netSeirdyi also made https://sr.ht/~seirdy/MOAC/ if you're interested. working on a GUI rn22:15:22
@seirdy:envs.netSeirdy it can also generate passwords 22:16:13
@bkil:matrix.orgbkilmI think I would set a global minimal entropy limit on registration and have multiple tiers based on the privileges that account has and whether 2FA is being used.22:18:08
@bkil:matrix.orgbkilmAlso, have you inspected a password database in the past yourself?22:18:49
@seirdy:envs.netSeirdy
In reply to @seirdy:envs.net
it can also generate passwords
should be ready for 0.1.0 when i write the manpage and input validation. it's mostly an educational tool to build an understanding of password strength
22:19:07
@bkil:matrix.orgbkilmI went through a local one in the past and the ones people use over here contain lots of logical patters, but they are distinct to the ones in the US.22:19:25
@bkil:matrix.orgbkilmHaven't piped them through any estimator so far, though.22:19:42
@seirdy:envs.netSeirdy
In reply to @bkil:matrix.org
Also, have you inspected a password database in the past yourself?
i've browsed zxcvbn's data and ihavebeenpwned
22:19:45
@seirdy:envs.netSeirdy nothing shocking, just depressing 22:20:58
@bkil:matrix.orgbkilmI think password cracking and password strength estimation should be developed hand in hand. It would be worthwhile to host a competition where under a given size limit (like 1MB software size) the aim is to determine an enumeration according which a set of tested passwords could be guessed on the fewest attempts. The ranking and perturbation algorithms used there should be the best password checkers.22:32:10
@bkil:matrix.orgbkilmAs in, in another round, the independent goal of the same software codebase & database is to provide an estimate of the password rank without enumeration, and the winner would be the algorithm that produces estimates that are closest to the median enumeration number/rank of the given password in the other competition.22:34:48
@bkil:matrix.orgbkilm * As in, in another round, the independent goal of the same software codebase & database is to provide a much lower time complexity estimate of the password rank without enumeration, and the winner would be the algorithm that produces estimates that are closest to the median enumeration number/rank of the given password in the other competition.22:35:18
@gardvik:matrix.orggardvik joined the room.22:52:24
@bkil:matrix.orgbkilm

Some nice readings of various designs and issues and description of how the open source zxvcbn and KeePass work:

  • https://madiba.encs.concordia.ca/~x_decarn/papers/password-meters-ndss2014.pdf
  • http://users.encs.concordia.ca/~mmannan/publications/password-meters-tissec.pdf
22:53:12
@zephryn:owlsne.stzephryn
In reply to @seirdy:envs.net
bkil: yeah i use fedi, irc, and matrix. i think that centralized platforms are fine if they're small and you're not heavily invested in them. like small forums (i use lobste.rs, gurlic.com, and tildes.net for instance).
i can kind of agree that small-term centralization isn't the worst, e.g. small niche forums and the likes
23:13:07
@zephryn:owlsne.stzephrynit's when a platform tries to encapsulate multiple communities where it starts to really show its problems23:14:15
@seirdy:envs.netSeirdyyeah small forums, multiplayer game servers, etc. should be fine.23:15:36
@zephryn:owlsne.stzephrynself-hosted git seems alright too- really wish more people/projects did it tbh23:18:02
@zephryn:owlsne.stzephrynalso regarding your blog post, i do hope that matrix clients can start catching up a bit if the spec changes slow down23:21:00

There are no newer messages yet.


Back to Room ListRoom Version: 5