search

dropbox / zxcvbn

Low-Budget Password Strength Estimation
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
MIT License
14.99k stars 932 forks source link

Updating estimates for pbkdf2 streaching #199

Open jcalfee opened 7 years ago

jcalfee commented 7 years ago

Is there a way to update the estimates to account for stretching?

The offline attack vector is my concern. So, I would like to stretch the passphrase adding N bits of entropy. For example, to add 12 bits of strength I might do this:

const secret = pbkdf2.pbkdf2Sync(passphrase, '', 4096, 64, 'sha512')

I imagine this might work but it would add 16 bits instead of 12 bits I'm using:

const entropy = new Buffer('037d', 'hex').toString('binary') // 2 char string
const report = zxcvbn(passphrase + entropy)

Is there a cleaner way so I could provide the number of bits I'm adding? Otherwise I should probably mine for a good hex string to use.

lowe commented 7 years ago

Hi @jcalfee,

Recent versions of zxcvbn return an estimate in guesses (vs entropy). If you want to convert that to a "time to crack" type estimate, to account for stretching, I would simply choose a higher time-per-guess ratio based on the specifics of your hashing scheme.

The library includes a few example scenarios just in case it's helpful: 

const result = zxcvbn('helloworld');
console.log(result.crack_times_seconds);
console.log(result.crack_times_display);
jcalfee commented 7 years ago

I'm adding 2048 guesses (Math.pow(2, 11) === 2048). Implementations need to provide a checksum (probably a sha256) or it does not know if the decryption worked or not. So, all of the following should be about the same:

So it would be nice to update all the result values (score, N centuries, etc..) accordingly. I believe it is as simple as extending the estimated number of guesses (multiply by 2048)..

The time per guess is something I want to avoid hard-coding outside of the library because that is something that would be updated as technology advances (and we upgrade the library with an adjusted crack time estimate algorithm).

So my first though is to tell the library I'm using a longer password..

What do you think? Is it easy to adjust estimate_guesses like this: estimate_guesses *= 2048?

jcalfee commented 7 years ago

correction, adj: estimate_guesses *= 2048