If anyone is still following this thread... =) I've just updated the Google sheet above with significant changes. I was using the wrong values for PBKDF2-HMAC-SHA256 hash performance. I now have up-to-date hw costs and new evidence in play. Definitely worth having a look at the latest version. The up-side is PBKDF2 is significantly better than was previously calculated.
Enjoy! On Monday, January 30, 2017 at 2:09:56 PM UTC-5, Martin Koistinen wrote: > > *IMPORTANT NOTICE:* I've just made an important change to the Google Docs > Sheet here: > https://docs.google.com/spreadsheets/d/16_KdYAW03sb86-w_AFFnM79IaTWQ7Ugx4T0VMfGteTM/edit?usp=sharing > > Realizing that most security policies make requirements such as "At least > 1 character must be a numeral", etc. for other character classes, I've > adjusted this sheet to take this into account *along with the resulting > reduction of password strength that comes with it.* I do recognize that > these symbol-requirements policies are there to force people to choose > passwords that use a broader set of symbols which has the desired effect of > raising password strength, but the actual, theoretical maximum entropy of > the resulting passwords is *significantly *lowered as a result. > > As a result, a 8-character password formed with at least 1 of each of > these sets: > > - numerals (10); > - lower-case letters (26); > - upper-case letters (26); > - and punctuation symbols (10-ish); > > will offer *at most* 40.7 bits of entropy. > > Passwords of this level of strength, when used on a system that uses 30000 > iterations of PBKDF2 will be quickly and easily cracked by virtually any > serious attacker. 100,000 iterations isn't really any better. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1731b228-94b4-4fa1-844f-e0dfcc5c43c4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
