This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Passfault"
Cam Morris (talk | contribs) |
Cam Morris (talk | contribs) (→Demo Site) |
||
(31 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Main= | =Main= | ||
− | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div> |
+ | <div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div> | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
Line 8: | Line 9: | ||
==OWASP Passfault== | ==OWASP Passfault== | ||
− | OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. | + | OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying! |
+ | |||
==Introduction== | ==Introduction== | ||
− | + | OWASP Passfault is more ... | |
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies | ; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies | ||
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training. | ; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training. | ||
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords. | ; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords. | ||
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords. | ; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords. | ||
+ | |||
==Description== | ==Description== | ||
− | When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength. | + | When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength. |
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack. | When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack. | ||
+ | |||
Line 28: | Line 32: | ||
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | | ||
− | |||
== What is Passfault? == | == What is Passfault? == | ||
Line 38: | Line 41: | ||
== Presentation == | == Presentation == | ||
+ | [[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]] | ||
+ | |||
+ | == Articles == | ||
+ | |||
+ | ''Your Passwords don't Suck, its your Policies'' | ||
+ | [[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]] | ||
+ | |||
+ | ''Redefining Password Strength and Creation'' | ||
+ | [[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]] | ||
+ | |||
+ | ''How long would it take to crack your password'' | ||
+ | [[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]] | ||
− | + | == Research == | |
− | [[ | + | ''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]] |
− | + | ''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] | |
− | [[http:// | + | "...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault" |
− | + | ||
− | + | | valign="top" style="padding-left:25px;width:200px;" | | |
− | |||
− | == | + | == Quick Download == |
− | [[ | + | [[https://github.com/owasp/passfault/releases downloads]] |
− | == | + | == Demo Page == |
+ | [[https://passfault.appspot.com/password_strength.html demo site]] | ||
− | |||
+ | == Project Leader == | ||
+ | [[User:Cam_Morris|Cam Morris]] | ||
− | |||
− | == | + | == Related Projects == |
− | [[ | + | [[Password_Storage_Cheat_Sheet]] |
+ | == Ohloh == | ||
− | + | https://www.ohloh.net/p/passfault | |
− | |||
− | |||
==Classifications== | ==Classifications== | ||
Line 74: | Line 88: | ||
{| width="200" cellpadding="2" | {| width="200" cellpadding="2" | ||
|- | |- | ||
− | | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp- | + | | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]] |
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | ||
|- | |- | ||
Line 81: | Line 95: | ||
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]] | | colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]] | ||
|- | |- | ||
− | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/ | + | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]] |
|} | |} | ||
− | |||
|} | |} | ||
=FAQs= | =FAQs= | ||
− | ; | + | ==Demo Site== |
− | : | + | ; Does the Demo Site capture or log passwords? |
+ | : No, of course not | ||
− | ; | + | ; How can I be sure the Demo Site doesn't capture or log passwords? |
− | : | + | : You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged: |
+ | * GETs are blocked so no urls will have accidental passwords stored in the logs | ||
+ | * passwords are read directly from the input stream to prevent parsing into Java Strings | ||
+ | * the memory is cleared as soon as analysis is complete. | ||
+ | * HTTPS is required on this URL (using the appspot domain) | ||
+ | To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt | ||
+ | |||
+ | ; Why do you need to pass the password over the wire?! Isn't that insecure? Others do it in javascript-client why don't you? | ||
+ | : Passfault's mission is to replace password policies, not just be a cute strength meter. It was intended to be used by the sites that already take and use your passwords. With that use-case, adding Passfault doesn't lessen security in any way. Plus it has the added benefit that we can store LOTS of password lists and do some in-depth analysis that can't be done client-side. | ||
+ | |||
+ | ; Does 2FA (two-factor authentication) make Passfault obsolete? | ||
+ | : No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. | ||
+ | |||
+ | ; Some argue that password policies make passwords less secure, does that apply to Passfault? | ||
+ | : Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy. | ||
+ | |||
+ | ; How does Passfault compare to zxcvbn? | ||
+ | : Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable. | ||
+ | |||
+ | ; Why java - I hate java. If it were only in language ''x'' I'd use it. | ||
+ | : Passfault is packaged up in docker as a microservice. You'd probably want to run passfault as a microservice anyway, so forget that it's java and just run with it. That said, we welcome any ports to typescript or any other language. | ||
+ | |||
+ | Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]] | ||
= Acknowledgements = | = Acknowledgements = | ||
==Volunteers== | ==Volunteers== | ||
− | + | OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been: | |
− | * | + | * Cam Morris |
− | * | + | * Bernardo Araujo Rodrigues |
+ | * Ray Stone | ||
+ | * New Jersey Institute of Technology students contributed to release 0.8 (Highlander): | ||
+ | ** Michael Glassman | ||
+ | ** Georgina Matias | ||
+ | ** Scott Sands | ||
+ | ** Brandon Lyew | ||
+ | ** Kevin Sealy | ||
+ | ** Llina Ljoljevski | ||
+ | * University of Florida Students contibuted to release 0.7 (Gator): | ||
+ | ** Neeti Pathak | ||
+ | ** Carlos Vasquez | ||
+ | ** Chelsea Metcalf | ||
+ | ** Yang Ou | ||
==Others== | ==Others== | ||
− | * | + | * Partnet Inc. has donated paid labor on OWASP Passfault |
− | * | + | * JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license! |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | = Getting Involved = | ||
+ | * Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list] | ||
+ | * See the Roadmap | ||
+ | * Peruse the [https://github.com/c-a-m/passfault/issues open issues] | ||
+ | * Fork the code on [https://github.com/c-a-m/passfault github]. | ||
+ | * If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!) | ||
+ | = Roadmap = | ||
+ | {{:Projects/OWASP_Passfault/Roadmap}} | ||
=Project About= | =Project About= |
Latest revision as of 16:03, 12 April 2017
OWASP PassfaultOWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!
IntroductionOWASP Passfault is more ...
DescriptionWhen setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength. When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: the number of passwords found in the password patterns. This measurement is made more intuitive and meaningful with an estimated time to crack.
LicensingOWASP Passfault is free to use. It is licensed under the [Apache License version 2.0] . |
What is Passfault?OWASP Passfault provides:
PresentationArticlesYour Passwords don't Suck, its your Policies [ZDNet] Redefining Password Strength and Creation [MidsizeInsider, IBM] How long would it take to crack your password [Naked Security, Sophos] ResearchPassfault: an Open Source Tool for Measuring Password Complexity and Strength File:Artigo-Passfault.pdf General Framework for Evaluating Password Complexity and Strength [Cornell University Library] "...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault" |
Quick Download
Demo Page
Project Leader
Related ProjectsOhlohhttps://www.ohloh.net/p/passfault Classifications |
Demo Site
- Does the Demo Site capture or log passwords?
- No, of course not
- How can I be sure the Demo Site doesn't capture or log passwords?
- You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:
- GETs are blocked so no urls will have accidental passwords stored in the logs
- passwords are read directly from the input stream to prevent parsing into Java Strings
- the memory is cleared as soon as analysis is complete.
- HTTPS is required on this URL (using the appspot domain)
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt
- Why do you need to pass the password over the wire?! Isn't that insecure? Others do it in javascript-client why don't you?
- Passfault's mission is to replace password policies, not just be a cute strength meter. It was intended to be used by the sites that already take and use your passwords. With that use-case, adding Passfault doesn't lessen security in any way. Plus it has the added benefit that we can store LOTS of password lists and do some in-depth analysis that can't be done client-side.
- Does 2FA (two-factor authentication) make Passfault obsolete?
- No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an effective password policy.
- Some argue that password policies make passwords less secure, does that apply to Passfault?
- Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.
- How does Passfault compare to zxcvbn?
- Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.
- Why java - I hate java. If it were only in language x I'd use it.
- Passfault is packaged up in docker as a microservice. You'd probably want to run passfault as a microservice anyway, so forget that it's java and just run with it. That said, we welcome any ports to typescript or any other language.
Discuss with us more on twitter [[1]] or join the email list: [[2]]
Volunteers
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:
- Cam Morris
- Bernardo Araujo Rodrigues
- Ray Stone
- New Jersey Institute of Technology students contributed to release 0.8 (Highlander):
- Michael Glassman
- Georgina Matias
- Scott Sands
- Brandon Lyew
- Kevin Sealy
- Llina Ljoljevski
- University of Florida Students contibuted to release 0.7 (Gator):
- Neeti Pathak
- Carlos Vasquez
- Chelsea Metcalf
- Yang Ou
Others
- Partnet Inc. has donated paid labor on OWASP Passfault
- JetBrains has donated professional licenses for IntelliJ IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!
- Join the OWASP Passfault Mailing list
- See the Roadmap
- Peruse the open issues
- Fork the code on github.
- If contribute significantly to the project contact the project leader for a professional license of IntelliJ IDEA by JetBrains (Thanks JetBrains!)
Release 0.8
Goal: preparation for ESAPI
- More meaningful word lists
- Frequency lists: build lists of the most common words, names. (Done for English, Spainish)
- Improved configuration of finders and wordlists
Release 0.9
- UI improvements
- Fix backlog of issues
- experiment with configuration of wordlists
Release 1.0
Goals: Enterprise Ready - UI improvements for learning better password strategies - Easier to configure and run, not requiring a developer to wire things up.
Other Important Goals
- Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/
- OS system integration:
- Linux
- running passwd on linux runs passfault
- apt-get install passfault
- Windows
- Linux
- Document each pattern finder on the OWASP wiki.
- JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.
- Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|