diff options
Diffstat (limited to 'docs.html')
| -rw-r--r-- | docs.html | 58 |
1 files changed, 38 insertions, 20 deletions
@@ -27,21 +27,39 @@ <div class="container"> <h1>Password Score</h1> </div> - <hr> <div class="container"> - <ul class="nav nav-pills"> - <li><a href="index.html">Demo</a></li> - <li class="active"><a href="#">Documentation</a></li> - </ul> + <div class="row"> + <div class="col-md-8"> + <hr> + <ul class="nav nav-pills"> + <li><a href="index.html">Demo</a></li> + <li class="active"><a href="#">Documentation</a></li> + </ul> + <hr> + <h2><a id="introduction"></a>Introduction</h2> + + <p> + Password Score is designed to give a realistic estimation of the strength of a password. When speaking of "strength" we must ask for a measure. A common measure for this purpose is based on information theory and called entropy. We will define the entropy of a password as follows: when $N$ is the number of guesses needed to crack a password with certainty the entropy is given by the base-2 logarithm of $N$. + </p> + </div> + <div class="col-md-4"> + <div class="well well-sm"> + <ul class="nav nav-list"> + <li><a href="#introduction">Introduction</a></li> + <li><a href="#pattern-matching">Pattern Matching</a></li> + <li><a href="#dictionaries">Dictionaries</a></li> + <li><a href="#keyboard-patterns">Keyboard Patterns</a></li> + <li><a href="#dates">Dates</a></li> + <li><a href="#leet-speak">1337 - Leet Speak</a></li> + <li><a href="#sequences-repititions">Sequences and Repititions</a></li> + <li><a href="#data-sources">Data Sources</a></li> + <li><a href="#license">License</a></li> + </ul> + </div> + </div> + </div> </div> - <hr> <div class="container"> - <h2>Introduction</h2> - - <p> - Password Score is designed to give a realistic estimation of the strength of a password. When speaking of "strength" we must ask for a measure. A common measure for this purpose is based on information theory and called entropy. We will define the entropy of a password as follows: when $N$ is the number of guesses needed to crack a password with certainty the entropy is given by the base-2 logarithm of $N$. - </p> - <p> A naive approach of estimating the number of guesses needed is using a brute-force approach. Given a password $p$ we take $N := n^{|p|}$ where $|p|$ is the length of $p$ and $n$ is the number of possible characters. The brute-force approach simply tries all possible combinations of $|p|$ characters. But due to human nature assuming a password to be a random sequence of characters is far to idealisitc. Most of us tend to choose passwords made up of common words, names, special numbers - passwords which are easy to remember. So the naive approach highly overestimates the strength of a password. </p> @@ -50,7 +68,7 @@ Therefore every password cracking software uses dictionaries, lists of common passwords and names to give better performance. Password Score will search a given password for common words, passwords or names - or in general Password Score searches for <i>patterns</i> within the password. Other possible patterns are keyboard patterns like `qwerty` or sequences like `1234`. Instead of using random numbers we tend to use numbers which have a meaning like dates - birthdays or anniversaries of any kind. </p> - <h2>Pattern Matching</h2> + <h2><a id="pattern-matching"></a>Pattern Matching</h2> <p> To use Password Score simply fetch a password and create a <code>new Score()</code>: @@ -100,7 +118,7 @@ console.log(score.calculateEntropyScore()); Based on the given options Password Score searches the password for all patterns it can find based on the given resources and calculates the entropy for all the patterns. Given a password consisting of $k$ non-overlapping patterns $p = p_1 \ldots p_k$ the entropy of $p$ is assumed to be the sum of the pattern entropies. Because we may have multiple overlapping patterns we then try to minimize the overall entropy as to underestimate the password rather than to overestimate it. </p> - <h2>Dictionaries</h2> + <h2><a id="dictionaries"></a>Dictionaries</h2> <p> As seen above Password Score can be configured to match against a given dictionary the following way: @@ -149,7 +167,7 @@ var commonPasswords = { As mentioned above the scoring value will be used to determine the entropy by simply taking the base-2 logarithm. We will use the scoring value as to differentiate between very common patterns and less common patterns - <code>password</code> is the most ocmmon password whereas <code>d9ebk7</code> is not that common. </p> - <h2>Keyboard Patterns</h2> + <h2><a id="keyboard-patterns"></a>Keyboard Patterns</h2> <p> <code>qwerty</code> will always be within the top ten of the most common passwords simply because it is easy to remember on the corresponding keybaord. We will assume a keyboad pattern to be a path on the keyboard when considered as undirected graph. They QWERTY and QWERTZ keyboards are already given by <code>keyboard.js</code>: @@ -178,7 +196,7 @@ var options = { Theoretically the entropy of a keyboad pattern is given by the number of possible beginnings multiplied by the number of possible next characters for each character within the pattern. </p> - <h2>Dates</h2> + <h2><a id="dates"></a>Dates</h2> <p> Dates are hard to catch because they may occur in many different formats. They may consist only of a day and a month or only of a month and a year. Years on its own are common, too - my first passwords contained the last two digits of my birthyear. Fortunately regular expressions can used to scan efficiently for the different formats of dates: @@ -200,7 +218,7 @@ var options = { The number of possible dates is dependant on the format. In general we simply take $31 \cdot 12 \cdot y$ where $y$ is the number of years to consider. When assuming $y$ to be too large we will not get any difference from considering a random eight (or six) digit number with $10^8$ respectively $10^6$ possible combinations. Thererfore choosing $y$ to be around $100$ or $200$ will be a good and realistic choice. </p> - <h2>1337 - Leet Speak</h2> + <h2><a id="leet-speak"></a>1337 - Leet Speak</h2> <p> Using a leet speak translation table Password Score can search dictionaries for words which occur in leet speak within the password. This translation table looks like this: @@ -243,7 +261,7 @@ leet = { Given a word in leet speak Password Score generates a list of all possible substitutions using the translation table. All possible substitutions are matched against a given dictionary. The entropy can be calculated by determining the number of possible leet speak versions of the dictionary word. </p> - <h2>Sequences and Repititions</h2> + <h2><a id="sequences-repititions"></a>Sequences and Repititions</h2> <p> Password Score searches for number sequences and substrings of the alphabet. Reversed sequences are checked, too. The entropy of a sequence is only influenced by the possiblities for the first character and the length. @@ -253,7 +271,7 @@ leet = { The entropy of single character repitions is determined the same way as for sequences. When repeating multiple characters the entorpy is determined by the length of the sequence to be repeated and the number of repititions. </p> - <h2>Data Sources</h2> + <h2><a id="data-sources"></a>Data Sources</h2> <p> As Password Score works best when using in combination with usual dictionaries, list of common passwords and names it already includes some raw data: @@ -271,7 +289,7 @@ leet = { For using the raw data a simple PHP script can be used to generate JSON files with the appropriate format. </p> - <h2>License</h2> + <h2><a id="license"></a>License</h2> <p> This project is licensed under the BSD 3-Clause license: |