Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Support restrictive password policies via uniform sampling of regular languages #17

Open
eternaleye opened this issue Mar 1, 2023 · 4 comments
Open

Feature: Support restrictive password policies via uniform sampling of regular languages #17

eternaleye opened this issue Mar 1, 2023 · 4 comments

Comments

@eternaleye
Copy link

eternaleye commented Mar 1, 2023
edited
Loading

One limiting factor for password managers that generate (rather than storing) passwords is that many sites have restrictive password policies. However, most password policies can be described as regular languages (possibly in a composable/modular manner, as they are closed under intersection). Because regular languages can be sampled from uniformly, this may offer a clean way to support sites with restrictive password policies without sacrificing security.

In the paper Uniform Sampling for Networks of Automata, Section 2.1 "Cardinalities and fixed length uniform sampling" sketches a simple algorithm for doing this for arbitrary fixed output length (which would match the current behavior, of always emitting 40-character rwd values). However, another approach would be to include the "preferred" output length for each site as part of the policy language, and use the algorithm described in section 2.2 "Generating functions and Boltzmann sampling". Both of these do presume the regular language has been transformed to a DFA.
@stef
Copy link
Owner

stef commented Mar 1, 2023

actually we are able to define password rules in the cli fronted as described in https://github.com/stef/pwdsphinx/blob/master/whitepaper.org#password-rules

@stef
Copy link
Owner

stef commented Mar 1, 2023
edited
Loading

admittedly this defines the allowed characters, not the required number of characters from the different classes, so yeah that could use some improvement. most of the time though due to the length of the generated password the minimum requirements are satisfied.

@stef
Copy link
Owner

stef commented Mar 1, 2023

the logic which implements the conversion from rwd to final password is implemented here:
https://github.com/stef/pwdsphinx/blob/master/pwdsphinx/bin2pass.py

but we also have a different converter, one that converts the rwd into an age keypair: https://github.com/stef/pwdsphinx/blob/master/contrib/sphage.py

i would be stoked if we had other, or better rwd-to-... converters!

@stef
Copy link
Owner

stef commented Jun 25, 2023

please close this issue if you feel that the above answers satisfy your request, if not, please elaborate why.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stef @eternaleye