Feature #70: Implement argon2 support for AES key derivation - OTPme

Actions

Copy link

Feature #70

open

Implement argon2 support for AES key derivation

Added by The 2nd over 8 years ago. Updated over 5 years ago.

Status:

In Bearbeitung

Priority:

Normal

Assignee:

The 2nd

Target version:

OTPme 0.3

Start date:

31 December 2015

Due date:

% Done:

Estimated time:

Description

Actions

Copy link

Updated by The 2nd over 8 years ago

Maybe we should use pyzxcvbn to implement dynamic iterations based on password strength
We also should consider dynamic calculation of aron2's "m" parameter based on available host memory

Actions

Copy link

Updated by The 2nd over 8 years ago

The python version of zxcvbn has some issues -> https://github.com/dropbox/python-zxcvbn/issues/14
And the original javascript version fails to generate a reasonable score on passwords with very common patterns

zxcvbn('SuziMiller_2016');
{ password: 'SuziMiller_2016',
  guesses: 188140000000,
  guesses_log10: 11.274481139688914,
  sequence:
   [ { pattern: 'dictionary',
       i: 0,
       j: 3,
       token: 'Suzi',
       matched_word: 'suzi',
       rank: 3134,
       dictionary_name: 'female_names',
       reversed: false,
       l33t: false,
       base_guesses: 3134,
       uppercase_variations: 2,
       l33t_variations: 1,
       guesses: 6268,
       guesses_log10: 3.797128987796552 },
     { pattern: 'dictionary',
       i: 4,
       j: 9,
       token: 'Miller',
       matched_word: 'miller',
       rank: 7,
       dictionary_name: 'surnames',
       reversed: false,
       l33t: false,
       base_guesses: 7,
       uppercase_variations: 2,
       l33t_variations: 1,
       guesses: 50,
       guesses_log10: 1.6989700043360185 },
     { pattern: 'bruteforce',
       token: '_2016',
       i: 10,
       j: 14,
       guesses: 100000,
       guesses_log10: 5 } ],
  calc_time: 7,
  crack_times_seconds: 
   { online_throttling_100_per_hour: 6773040000000,
     online_no_throttling_10_per_second: 1881400000,
     offline_slow_hashing_1e4_per_second: 18814000,
     offline_fast_hashing_1e10_per_second: 18.814 },
  crack_times_display:
   { online_throttling_100_per_hour: 'centuries',
     online_no_throttling_10_per_second: '59 years',
     offline_slow_hashing_1e4_per_second: '7 months',
     offline_fast_hashing_1e10_per_second: '19 seconds' },
  score: 4,
  feedback: { warning: '', suggestions: [] } }

There is another python password strength check but it also fails on the same password -> https://github.com/cadithealth/passwordmeter

# python
Python 2.7.9 (default, Apr  2 2015, 15:33:21)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import passwordmeter
>>> password = "SuziMiller_2016" 
>>> strength, improvements = passwordmeter.test(password)
>>> print strength
0.915112131644

Actions

Copy link