W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [http-auth] [saag] [websec] Fwd: re-call for IETF http-auth BoF

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 23 Jun 2011 11:52:40 +0900
Message-ID: <BANLkTikXDfnT1Fr=1j1Y6YMjqx7w7UBeXQ@mail.gmail.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Cc: "gogwim@unijos.edu.ng" <gogwim@unijos.edu.ng>, "http-auth@ietf.org" <http-auth@ietf.org>, "public-identity@w3.org" <public-identity@w3.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
2011/6/23 Henry B. Hotz <hotz@jpl.nasa.gov>:
> I can agree in principle, but in practice the definition of "weak" is too fuzzy.
>
> On Jun 22, 2011, at 10:21 AM, GOGWIM, JOEL GODWIN wrote:
>
>> Supported.
>> Weak and predictable passwords should be avoided.

2011/6/23 Nico Williams <nico@cryptonector.com>:
> Also, all passwords that users must remember should be considered weak.

This is a terminology issue, and I present here *my* use of
such terminologies in general.

= strong secret and weak secret =

"strong" secrets are the secret data which has an entropy
comparable to other security parameters (e.g. encryption key length etc.)
They typically include public-key-cryptography secret keys,
DH-key-exchanged shared keys,
randomly-generated nonce-like bearer tokens and others.

"weak" secrets are the secret data which has not enough
entropy compared to encryption etc.
PINs, Passwords and passphrases are typical examples.
They should not be used for encryptions without some
security-amplifications (e.g. password-authenticated key exchanges.)

In this meaning, all memorable passwords are weak.

= strong passwords/passphrases and weak passwords =

I use the term "weak passwords" almost equivalent to
predictable passwords or brute-force searchable passwords.
The required strength may depend on the context,
e.g. whether the passwords search can be off-line, or
whether a pre-computed dictionary of hashed passwords can be
useful, etc. but many people will agree that "1" and "1234" are
weak, and "cA6mqUPgBpe6pQf7" is strong as a password.

I prefer using "predictable" and "unpredictable" for this meanings.
Received on Thursday, 23 June 2011 02:53:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 June 2011 02:53:09 GMT