search

MatrixAI / Polykey

Polykey Core Library - Open Source Decentralized Secret Sharing System for Zero Trust Delegation of Authority
https://polykey.com
GNU General Public License v3.0
29 stars 4 forks source link

Password Generator #34

Open CMCDragonkai opened 5 years ago

CMCDragonkai commented 5 years ago

image

Password suggestion/generator is useful for different things. One is for Polykey secrets itself. But another is just generating secrets within the constraints of external systems.

For Polykey secrets, we should use bip39: https://github.com/bitcoinjs/bip39

CMCDragonkai commented 5 years ago

For normal password generation, we need something similar to this: https://www.nayuki.io/page/random-password-generator-javascript

robert-cronin commented 4 years ago

Also needed is someway to verify the entropy of passwords that are passed in by the user. HKDF relies on sufficient entropy in the initial password:

On the other hand, it is anticipated that some applications will not be able to use HKDF "as-is" due to specific operational requirements, or will be able to use it but without the full benefits of the scheme. One significant example is the derivation of cryptographic keys from a source of low entropy, such as a user's password. The extract step in HKDF can concentrate existing entropy but cannot amplify entropy. In the case of password-based KDFs, a main goal is to slow down dictionary attacks using two ingredients: a salt value, and the intentional slowing of the key derivation computation. HKDF naturally accommodates the use of salt; however, a slowing down mechanism is not part of this specification.

We can use zxcvbn for user provided password validation.

CMCDragonkai commented 3 years ago

Ah password complexity check is a separate problem from password generation. BIP39 is a good generator for high entropy secrets that is still human readable. It's like Zooko's triangle.

However for user supplied passwords, we can do the check and tell them about the entropy. But I'd like to keep it as a suggestion, and not as enforcement.

To enforce password complexity is complicated, but I'd imagine this may be something that enterprises may like to have.

That'd only be possible by preconfiguring polykey to push that along. But users could then reconfigure if they don't like it.

Only on a locked down platforms would this be possible, like employee machines.

robert-cronin commented 3 years ago

Closing on account of migration to gitlab

CMCDragonkai commented 2 years ago

Can use zxcvbn for this, and will require #222 to be done before this can be done.