table of contents
Data::Password::zxcvbn::TimeEstimate(3pm) | User Contributed Perl Documentation | Data::Password::zxcvbn::TimeEstimate(3pm) |
NAME¶
Data::Password::zxcvbn::TimeEstimate - functions to estimate cracking times
VERSION¶
version 1.0.4
SYNOPSIS¶
use Data::Password::zxcvbn::TimeEstimate qw(estimate_attack_times); my $estimates = estimate_attack_times($number_of_guesses);
DESCRIPTION¶
This module provides functions for back-of-the-envelope crack time estimations, in seconds, based on a few scenarios.
FUNCTIONS¶
"estimate_attack_times"¶
my $estimates = estimate_attack_times($number_of_guesses);
Returns a hashref with two keys:
- •
- "crack_times_seconds"
hashref of back-of-the-envelope crack time estimations, in seconds, based on a few scenarios:
- "online_throttling_100_per_hour"
online attack on a service that rate-limits authentication attempts
- "online_no_throttling_10_per_second"
online attack on a service that doesn't rate-limit, or where an attacker has outsmarted rate-limiting.
- "offline_slow_hashing_1e4_per_second"
offline attack. assumes multiple attackers, proper user-unique salting, and a slow hash function with moderate work factor, such as bcrypt, scrypt, PBKDF2.
- "offline_fast_hashing_1e10_per_second"
offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5. A wide range of reasonable numbers anywhere from one billion - one trillion guesses per second, depending on number of cores and machines; ball-parking at 10B/sec.
- •
- "crack_times_display"
same keys as "crack_times_seconds", but more useful for display: the values are arrayrefs "["english string",$value]" that can be passed to I18N libraries like "Locale::Maketext" to get localised versions with proper plurals
"guesses_to_score"¶
my $score = guesses_to_score($number_of_guesses);
Returns an integer from 0-4 (useful for implementing a strength bar):
- 0
too guessable: risky password. ("guesses < 10e3")
- 1
very guessable: protection from throttled online attacks. ("guesses < 10e6")
- 2
somewhat guessable: protection from un-throttled online attacks. ("guesses < 10e8")
- 3
safely un-guessable: moderate protection from offline slow-hash scenario. ("guesses < 10e10")
- 4
very un-guessable: strong protection from offline slow-hash scenario. ("guesses >= 10e10")
"display_time"¶
my ($string,@values) = @{ display_time($time) }; print My::Localise->get_handle->maketext($string,@values);
Given a $time in seconds, returns an arrayref suitable for "Locale::Maketext", like:
[ 'quant,_1,day', 23 ]
AUTHOR¶
Gianni Ceccarelli <gianni.ceccarelli@broadbean.com>
COPYRIGHT AND LICENSE¶
This software is copyright (c) 2018 by BroadBean UK, a CareerBuilder Company.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
2020-07-13 | perl v5.30.3 |