Adedov: Add links section

2015-11-20T23:27:06Z

Add links section

Adedov: Created page with "'''This document is an attempt to write draft replacement for Password length & complexity page.''' ==What Is Password Policy== TODO ==Threat Model== There are three mai..."

2015-11-20T23:17:47Z

Created page with "'''This document is an attempt to write draft replacement for Password length & complexity page.''' ==What Is Password Policy== TODO ==Threat Model== There are three mai..."

New page

'''This document is an attempt to write draft replacement for [[Password length & complexity]] page.'''

==What Is Password Policy==
TODO

==Threat Model==
There are three main threats against to user passwords:
* Online attacks
* Offline attacks
* Password leaks

===Online Attacks===
In this mode attacker tries to guess users passwords by sending candidate passwords directly to attacking service.

The speed and feasibility of online attacks are defined by security mechanisms implemented by application such as rate limiting authentication requests per user, IP address, etc. As well as by overall performance of network infrastructure and application.

===Offline Attacks===
If attacker have got a passwords file or a database dump or a captured traffic (e.g. Kerberos ticket or WiFi frames) and passwords are protected with some kind of crypto then attacker may mount so called offline attack.

The speed of offline attack is defined by resources available to attacker as well as robustness of methods used to protect user's passwords. In many cases the difference is speed between online and offline mode is order of magnitude in favour of offline mode.

===Depth vs. Breadth===
In context of password policy discussions it might be useful to distinguish ''targeted'' and ''untargeted'' attacks by attacker's primary goal:
; Targeted (depth-first) : Attacker needs to guess password of a specific user.
; Untargeted (breadth-first) : Attacker would be satisfied to find out any password of any account or want to collect as much valid credentials as possible.

===Password Leaks===
There are plenty of threats for passwords confidentiality that have no relation to guessing techniques at all. Examples are:
* Phishing and social engineering attacks;
* Malware installed on users devices;
* Capturing passwords during transmissions over insecure channels;
* Etc.

===Password Policy as a Mitigation to Passwords Threats===
TODO

← Older revision		Revision as of 23:27, 20 November 2015
Line 34:		Line 34:
	===Password Policy as a Mitigation to Passwords Threats===		===Password Policy as a Mitigation to Passwords Threats===
	TODO		TODO
		+
		+
		+	==Links==
		+	# [http://openwall.info/wiki/passwdqc/policy Password strength policy considerations.] by Solar Designer
		+	# [http://research.microsoft.com/apps/pubs/?id=227130 An Administrator’s Guide to Internet Password Research. Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot. 2014]
		+	# [http://research.microsoft.com/apps/pubs/?id=250408 Passwords and the Evolution of Imperfect Authentication. Joe Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2015]

Password policy (Draft) - Revision history

Adedov: Add links section

Adedov: Created page with "'''This document is an attempt to write draft replacement for Password length & complexity page.''' ==What Is Password Policy== TODO ==Threat Model== There are three mai..."