- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Thu, 23 Jun 2011 11:52:40 +0900
- To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Cc: "gogwim@unijos.edu.ng" <gogwim@unijos.edu.ng>, "http-auth@ietf.org" <http-auth@ietf.org>, "public-identity@w3.org" <public-identity@w3.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
2011/6/23 Henry B. Hotz <hotz@jpl.nasa.gov>: > I can agree in principle, but in practice the definition of "weak" is too fuzzy. > > On Jun 22, 2011, at 10:21 AM, GOGWIM, JOEL GODWIN wrote: > >> Supported. >> Weak and predictable passwords should be avoided. 2011/6/23 Nico Williams <nico@cryptonector.com>: > Also, all passwords that users must remember should be considered weak. This is a terminology issue, and I present here *my* use of such terminologies in general. = strong secret and weak secret = "strong" secrets are the secret data which has an entropy comparable to other security parameters (e.g. encryption key length etc.) They typically include public-key-cryptography secret keys, DH-key-exchanged shared keys, randomly-generated nonce-like bearer tokens and others. "weak" secrets are the secret data which has not enough entropy compared to encryption etc. PINs, Passwords and passphrases are typical examples. They should not be used for encryptions without some security-amplifications (e.g. password-authenticated key exchanges.) In this meaning, all memorable passwords are weak. = strong passwords/passphrases and weak passwords = I use the term "weak passwords" almost equivalent to predictable passwords or brute-force searchable passwords. The required strength may depend on the context, e.g. whether the passwords search can be off-line, or whether a pre-computed dictionary of hashed passwords can be useful, etc. but many people will agree that "1" and "1234" are weak, and "cA6mqUPgBpe6pQf7" is strong as a password. I prefer using "predictable" and "unpredictable" for this meanings.
Received on Thursday, 23 June 2011 02:53:09 UTC