Open CMCDragonkai opened 5 years ago
For normal password generation, we need something similar to this: https://www.nayuki.io/page/random-password-generator-javascript
Also needed is someway to verify the entropy of passwords that are passed in by the user. HKDF relies on sufficient entropy in the initial password:
On the other hand, it is anticipated that some applications will not be able to use HKDF "as-is" due to specific operational requirements, or will be able to use it but without the full benefits of the scheme. One significant example is the derivation of cryptographic keys from a source of low entropy, such as a user's password. The extract step in HKDF can concentrate existing entropy but cannot amplify entropy. In the case of password-based KDFs, a main goal is to slow down dictionary attacks using two ingredients: a salt value, and the intentional slowing of the key derivation computation. HKDF naturally accommodates the use of salt; however, a slowing down mechanism is not part of this specification.
We can use zxcvbn for user provided password validation.
Ah password complexity check is a separate problem from password generation. BIP39 is a good generator for high entropy secrets that is still human readable. It's like Zooko's triangle.
However for user supplied passwords, we can do the check and tell them about the entropy. But I'd like to keep it as a suggestion, and not as enforcement.
To enforce password complexity is complicated, but I'd imagine this may be something that enterprises may like to have.
That'd only be possible by preconfiguring polykey to push that along. But users could then reconfigure if they don't like it.
Only on a locked down platforms would this be possible, like employee machines.
Closing on account of migration to gitlab
Can use zxcvbn for this, and will require #222 to be done before this can be done.
Password suggestion/generator is useful for different things. One is for Polykey secrets itself. But another is just generating secrets within the constraints of external systems.
For Polykey secrets, we should use bip39: https://github.com/bitcoinjs/bip39