ryanries
commented
2 years ago @MorrisR2 Thanks for testing and for writing this positive review! Please do let us know how your own password filter works out!
Closed sensei-hacker closed 2 years ago
ryanries
commented
2 years ago @MorrisR2 Thanks for testing and for writing this positive review! Please do let us know how your own password filter works out!
allquixotic
commented
2 years ago @sensei-hacker Any progress on your own password filter? And if you are not writing it in Rust, why not? :)
sensei-hacker
commented
2 years ago Any progress on your own password filter?
Yes, and the performance is significantly different. Here's my Defcon talk on it: https://youtu.be/oXfLZ1Z4-gY
And the repo: https://github.com/sensei-hacker/password-dog
Adding something similar to Ryan's 60% rule along with my techniques could lead to even further improvement.
ryanries
commented
2 years ago Dang, not even a mention. :(
I thought you might be interested to know that yours is the best password filter. For the first part of my master thesis, I measured the effectiveness of the following:
OpenPasswordFilter passfiltex passwdqc zxcvbn libpwquality
For each, I fed in a large number of passwords that actually DID get cracked after the hashes were leaked. I also fed in a large number of passwords chosen by users to represent the passwords people want to use.
I calculated the effectiveness of a password filter / meter by it's ability to:
A. Reject passwords that ended up getting cracked. B. Reject a low percentage of passwords overall
Your software did the best at distinguishing passwords that get cracked.
passwdqc is made by Solar Designer - the same guy who makes John the Ripper. So you beat Solar Designer.
With default settings, PassFiltEx blocked 17% of the crackedpasswords, and only 7% overall. That gives it a net score of +10%. PassFiltEx has the best score of the tested systems.
That might not seem like an incredibly high score, but three of the five systems tested had NEGATIVE scores. They were more likely to allow a password that ended up getting cracked than to allow a password generally.
It seems that what sets PassFiltEx apart is the "if 60% of the password consists of a known string" function. Checking to see if the password is MOSTLY made up of a word in your dictionary works much better than other methods.
I hope it brings a smile to your face to know you've made the best password filter. The second half of my thesis project is I will attempt to blow you out of the water with a much better system. :)