[Dovecot] Weird Authentication behaviour
Reindl Harald
h.reindl at thelounge.net
Thu Mar 27 10:37:23 UTC 2014
Am 27.03.2014 11:27, schrieb Joseph Tam:
>
> Reindl Harald <h.reindl at thelounge.net> writes:
>
>> frankly 8 chars is laughable, i recently wrote a PHP library to
>> generate secure random passwords and for 100000 passwords get
>> 13 collisions is way to much given that that means you have
>> a collision every 8000 tries which means not you need 8000
>> in a real world attack
>
> (Off-topic)
>
> Not that I disagree with the conclusion that 8 character passwords are
> weak by todays standards, but there seems to be something wrong with
> your generator (weak PRNG? limited character set?). 13 collisions in
> 10^5 passwords is terrible, even by 1980 Unix standards
* Intel IvyBridge with rngd
* haveged -w 3072 -v 1
* SURELY a limited character set because mail-clients don't handle any char
$internal_random = openssl_random_pseudo_bytes(15) .
microtime() .
serialize($_SERVER) .
serialize($_REQUEST) .
serialize($_ENV) .
uniqid('', true) .
openssl_random_pseudo_bytes(15)
* that is not the problem and a lot of high random crap
* but you can't use that for passwords
* after hash_pbkdf2('sha256', $internal_random, mcrypt_create_iv(16, MCRYPT_DEV_URANDOM), 20, $length)
you are limited to low chars and number, so you need to randomly uppercase some chars and randomly
insert acceptable special chars like array('_','#','*','-','&','!','?','.',',','=')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140327/7d9a08bd/attachment.sig>
More information about the dovecot
mailing list