帮助计算密码熵(和实用性)

发布于 2024-09-09 01:00:16 字数 747 浏览 13 评论 0原文

这是一个由两部分组成的问题:

第 1 部分

首先,处理在 PHP 中计算密码的熵。我一直无法找到任何在经验上合理的代码示例,并且非常希望获得一些帮助来找到计算最终数字的“正确”方法。网上很多人都有自己的自制加权算法,但我真的在寻找方程式的科学答案。

我将使用密码熵作为更大安全系统的一部分,并作为一种根据用户密码泄露时可访问的信息以及暴力破解密码的难易程度来分析整体数据安全性的一种方法。

第二部分

这个问题的第二部分是:这个数字到底有多大用处?我的最终目标是为系统中的每个密码生成一个“分数”,我们可以用它来监控作为动态实体的整体系统安全性。我可能需要使用另一种或两种算法来进行字典攻击、l33t 替换密码等,但我确实认为熵将在这种“整体”系统评级中发挥重要作用。不过,我确实欢迎对其他方法的建议。

我所知道的

我已经看到一些提及计算所述熵的对数方程,但我还没有看到一个实际上没有写成数学方程的好例子。我真的可以使用代码示例(即使不是严格使用 PHP)来帮助我继续。

扩展

在发表评论时,我意识到我可以更好地解释此计算的有用性。当我在用户密码极弱的遗留系统上工作时,我必须有一些具体的证据证明该弱点,然后才能强制所有用户将密码更改为新的(强制)强密码。通过在系统中存储每个用户帐户的密码强度分数,我可以构建几个不同的指标来显示整体系统的弱点并为更强的密码提供理由。

TIA

This is a two part question:

Part 1

First, dealing with calculating the entropy of a password in PHP. I have been unable to find any code examples that are empirically sound and would really like some help in finding the 'right' way to calculate a final number. A lot of folks on the net have their own home-baked weighting algorithm, but I am really looking for the scientific answer to the equation.

I will be using the password entropy as just one part of a larger security system and as a way to analyze our overall data security based on information accessible if a user's password is compromised and how easily a password may be broken by brute force.

Part 2

The second part of this question is: how useful will this number really be? My end goal is to generate a 'score' for each password in the system that we can use to monitor our overall system security as a dynamic entity. I will probably have to work in another algorithm or two for dictionary attacks, l33t replacement passwords, etc--but I do feel that entropy will play an important role in such an 'overall' system rating. I do welcome suggestions for other approaches though.

What I Know

I have seen some mention of logarithmic equations to calculate said entropy, but I have yet to see a good example that isn't actually written as a mathematical equation. I could really use a code example (even if not strictly in PHP) to get me going.

Extension

In making a comment I realized that I can better explain the usefulness of this calculation. When I am working on legacy systems where users have extremely weak passwords I have to have some concrete evidence of that weakness before I can make a case for forcing all users to change their passwords to a new (enforced) strong password. By storing a password strength score for each user account in the system I can build several different metrics to show overall system weakness and make a case for stronger passwords.

TIA

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

半山落雨半山空 2024-09-16 01:00:16

字符串的熵有一个正式的定义:
http://en.wikipedia.org/wiki/Entropy_(information_theory)

有什么用这个值会是多少?这取决于。
下面是我为分配所做的计算熵的方法(在 Java 中):

public static double entropy() {
   double h = 0, p;
   for (int i = 0; i < count.size(); i++){
      p = count.get(i)/(totalChars*1.0);
      h -= p*Math.log(p)/Math.log(2);
   }
   return h;
}

count 是一个 Map,其中 (key, value) 对应于 (char, countForChar)。这显然意味着您必须在调用此方法之前处理该字符串。

编辑 2:这是用 PHP 重写的相同方法。

function entropy($string) {
   $h=0;
   $size = strlen($string);
   foreach (count_chars($string, 1) as $v) {
      $p = $v/$size;
      $h -= $p*log($p)/log(2);
   }
   return $h;
}

编辑 3:密码强度比熵更重要。熵是关于不确定性的;这并不一定意味着更安全。例如:

"akj@!0aj" 的熵为 2.5,而 "password" 的熵为 2.75

Entropy of a string has a formal definition specified here:
http://en.wikipedia.org/wiki/Entropy_(information_theory)

How useful that value is going to be? It depends.
Here's a method (in Java) to calculate entropy I made for an assignment:

public static double entropy() {
   double h = 0, p;
   for (int i = 0; i < count.size(); i++){
      p = count.get(i)/(totalChars*1.0);
      h -= p*Math.log(p)/Math.log(2);
   }
   return h;
}

count is a Map where (key, value) corresponds to (char, countForChar). This obviously means you have to process the string before you call this method.

EDIT 2: Here's the same method, rewritten in PHP

function entropy($string) {
   $h=0;
   $size = strlen($string);
   foreach (count_chars($string, 1) as $v) {
      $p = $v/$size;
      $h -= $p*log($p)/log(2);
   }
   return $h;
}

EDIT 3: There's a lot more to password strength than entropy. Entropy is about uncertainty; which doesn't necessarily translate to more security. For example:

Entropy of "akj@!0aj" is 2.5, while the entropy of "password" is 2.75

蝶舞 2024-09-16 01:00:16

强制熵达到一定水平是 CWE-521 的要求。

(1) 最小和最大长度;
(2) 需要混合字符集(字母、数字、特殊、大小写混合);
(3) 不包含用户名;
(4) 到期;
(5) 密码不得重复使用。

Forcing a certain level of entropy is a requirement of CWE-521.

(1) Minimum and maximum length;
(2) Require mixed character sets (alpha,numeric, special, mixed case);
(3) Do not contain user name;
(4) Expiration;
(5) No password reuse.

音栖息无 2024-09-16 01:00:16

要使用熵,您不仅需要获取单个密码的香农熵,还需要获取通用密码列表中的元素。如果一个密码与其他密码非常相似,那么与其他密码相比,它的熵会很低。如果它非常独特,它会更高。

To use entropy you need to not just get the Shannon Entropy of a single password, but as an element in a list of common passwords. If a password is very much like other passwords then its entropy will be low compared to other passwords. If its very unique it will be higher.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文