Jump to content
Not connected, Your IP: 18.216.104.106
AirVPN
Kepler_452b

Encrypted Com Services Should Confirm Password Strength To Both Parties

By Kepler_452b, ... in Off-Topic

Recommended Posts

Kepler_452b    77

Kepler_452b
Posted ...

Encrypted Com Services Should Confirm Password Strength To Both Parties. Services like Protonmail, Tutanota, Wire, etc should confirm the password strength of communication partners to each other. After all, the security of your communication to someone is only as good as their password if their device is compromised or intercepted. This also might encourage people to use strong passwords.

Share this post

Link to post

zhang888    1066

zhang888
Posted ...

How exactly should those (or any other self-respecting service, for that matter) know that your or your partners password is not strong?

All of them store the passwords in a salted hash form, with key stretching known as PBKDF2, which iterates the plaintext thousands of times

in order to deliberately consume more computing power for the final hash. which makes them hard or practically impossible to brute/rainbow

even if the DB is compromised.

 

The only time the service knows your plaintext password is during signup, and even then not necessary - good privacy aware services do

the initial hashing on the client side using JS, so since the first registration the service never knows your plaintext password, and it should better

be this way.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

Kepler_452b    77

Kepler_452b
Posted ...

I totally agree that the service should NOT know your password. But at the time of signup a measure of quality of password is often generated which could be kept and shared without knowing the password. Likewise if a password is changed.

Share this post

Link to post

zhang888    1066

zhang888
Posted ...

If you are talking about that little JS function that gives you a score based on lower/uppercase characters, length and numbers it was proven to have

very little practical security. Do you agree that the password "iamzhang" is much better than "P@ssw0rd"? Same idea goes there.

And all password validators will prefer the second option as the strongest password ever

LZ1 reacted to this

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

Kepler_452b    77

Kepler_452b
Posted ...

That little JS function is merely a simple example. "P@ssw0rd" or "iamzhang" could probably be cracked in a few flops. But It shouldn't be hard for smart coders to put together an effective measure of password strength based on measured entropy.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...