This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Passfault"
Cam Morris (talk | contribs) (→Acknowledgements) |
Cam Morris (talk | contribs) m (Cleaned up links) |
||
Line 44: | Line 44: | ||
== Articles == | == Articles == | ||
− | [[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 | + | ''Your Passwords don't Suck, its your Policies'' |
+ | [[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]] | ||
− | [[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength | + | ''Redefining Password Strength and Creation'' |
+ | [[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]] | ||
− | [[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ | + | ''How long would it take to crack your password'' |
+ | [[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]] | ||
Revision as of 21:28, 24 February 2015
OWASP PassfaultOWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!
IntroductionOWASP Passfault is more ...
DescriptionWhen setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength. When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: the number of passwords found in the password patterns. This measurement is made more intuitive and meaningful with an estimated time to crack.
LicensingOWASP Passfault is free to use. It is licensed under the [Apache License version 2.0] . |
What is Passfault?OWASP Passfault provides:
PresentationArticlesYour Passwords don't Suck, its your Policies [ZDNet] Redefining Password Strength and Creation [MidsizeInsider, IBM] How long would it take to crack your password [Naked Security, Sophos]
|
Quick Download
Demo Page
Project Leader
Related Projects
Ohloh
Classifications |
Demo Site
- Does the Demo Site capture or log passwords?
- No, of course not
- How can I be sure the Demo Site doesn't capture or log passwords?
- You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:
- GETs are blocked so no urls will have accidental passwords stored in the logs
- passwords are read directly from the input stream to prevent parsing into Java Strings
- the memory is cleared as soon as analysis is complete.
- HTTPS is required on this URL (using the appspot domain)
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt
Volunteers
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:
- Cam Morris
- New Jersey Institute of Technology students contributed to release 0.8 (Highlander):
- Michael Glassman
- Georgina Matias
- Scott Sands
- Brandon Lyew
- Kevin Sealy
- Llina Ljoljevski
- University of Florida Students contibuted to release 0.7 (Gator):
- Neeti Pathak
- Carlos Vasquez
- Chelsea Metcalf
- Yang Ou
Others
- Partnet Inc. has donated paid labor on OWASP Passfault
Release 0.8
Goal: preparation for ESAPI
- More meaningful word lists
- Frequency lists: build lists of the most common words, names. (Done for English, Spainish)
- Improved configuration of finders and wordlists
Release 0.9
- UI improvements
- Fix backlog of issues
- experiment with configuration of wordlists
Release 1.0
Goals: Enterprise Ready - UI improvements for learning better password strategies - Easier to configure and run, not requiring a developer to wire things up.
Other Important Goals
- Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/
- OS system integration:
- Linux
- running passwd on linux runs passfault
- apt-get install passfault
- Windows
- Linux
- Document each pattern finder on the OWASP wiki.
- JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.
- Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|