Skip to content

Analysis (ideas)

Jump to bottom
Hubert Kario edited this page Apr 26, 2017 · 3 revisions

Differences of password checking libraries (PCL).

  • Example: 2 of 3 PCL accept input password, but the third one rejects this password.

  • Example: 2 of 3 PCL reject input password, but the third one accepts this password.

  • Useful information:

    • Get transformations that were applied at the password -> Transformations that mess up PCL
    • Compare outputs of PCL -> Output example: Password is too short, Not enough different characters
    • If no transformations were applied at the password -> Analyze the password (Get transformations that password can contain)
      • Example: Input password - h3ll0 (hello) -> Simple l33t table
      • Example: Input password - hockey -> Dictionary word

  • Information that we can work with:

    • original(input) password
    • output of password checking library for original password
    • Transformations (if used) & transformed password & output of PCL for transformed password & list of applied transformations

Get the password with a lowest entropy, which is accepted by PCL.

  • How to do this?
    • Get list of dictionary words, check this list using PCL, get password with a lowest entropy which was accepted.
    • Get list of dictionary words, apply simple transformations (transformations that change the entropy minimally), then check passwords using PCL and get password with a lowest entropy which was accepted.

Get password with a highest entropy, which is rejected by PCL.

  • How to do this?
    • Use random transformation at password, check this password using PCL
      • if the output of PCL is OK, use another transformation
      • if the output is not OK, use next random transformation
    • do this again. End this process after a few iterations, and choose password with a highest entropy, which is rejected by PCl.

Already implemented analyzes:

  • List of passwords: Original passwords were accepted but transformed passwords were rejected by PCL.
  • .................: Original passwords were rejected, but transformed passwords were accepted by PCL.
  • .................: Neither original nor transformed passwords pass through PCL, but the reason of rejection changed.
  • List of original & transformed passwords with a low entropy (lower than 36.0) that were accepted by PCL.
  • List of original & transformed passwords with a high entropy (higher than 60.0) that were rejected by PCL.
  • Transformed passwords with a simple transformation that were accepted.
  • Overall summary: xx percent of transformed passwords that were accepted. Most common reason for rejection.
Clone this wiki locally