OWASP Passfault

From OWASP
Jump to: navigation, search
[edit]

Passfault-header.png

OWASP Passfault

OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!


Introduction

OWASP Passfault is more ...

Accurate 
Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies
Informative 
Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.
Simple 
Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.
Powerful 
Empowers administrators to know and control the strength and risk of the organization's passwords.


Description

When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength.

When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: the number of passwords found in the password patterns. This measurement is made more intuitive and meaningful with an estimated time to crack.


Licensing

OWASP Passfault is free to use. It is licensed under the [Apache License version 2.0] .

What is Passfault?

OWASP Passfault provides:

  • Password Strength Evaluation
  • Password Policy Replacement


Presentation

Presentation given at OWASP SnowFROC 2012 in Denver: Passfault-prezi-thumbnail.png


Articles

["Your Passwords don't Suck, its your Policies" - ZDNet] ["Redefining Password Strength and Creation" - MidsizeInsider, IBM] ["For Better Password Policies" - Turnlevel, Partnet] ["How long would it take to crack your password" - Naked Security, Sophos]


Quick Download

[downloads]


Demo Page

[demo site]


Project Leader

Cam Morris


Related Projects


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Apache-feather-small.gif
Project Type Files CODE.jpg

Demo Site

Does the Demo Site capture or log passwords?
No, of course not
How can I be sure the Demo Site doesn't capture or log passwords?
You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:
    • GETs are blocked so no urls will have accidental passwords stored in the logs
    • passwords are read directly from the input stream to prevent parsing into Java Strings
    • the memory is cleared as soon as analysis is complete.
    • HTTPS is required on this URL (using the appspot domain)

To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt

Volunteers

OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Cam Morris
  • University of Florida Students:
    • Neeti Pathak
    • Carlos Vasquez
    • Chelsea Metcalf
    • Yang Ou

Others

  • Partnet Inc. has donated paid labor on OWASP Passfault

Release 0.8

Goal: preparation for ESAPI

  • More meaningful word lists
    • Frequency lists: build lists of the most common words, names
  • ESAPI Authenticator Decorator
    • Implement an ESAPI Authenticator that will enhance an existing authenticator with passfault implementing the "verifyPasswordStrength" method.
    • A volunteer force from university of Florida has built this. All that remains is to get it into ESAPI.

Release 1.0

Goal: Enterprise Ready, working with ESAPI

Other Important Goals

  • Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/
  • Document each pattern finder on the OWASP wiki.
  • JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.
  • Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.

For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Passfault (home page)
Purpose: Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.
License: http://www.apache.org/licenses/LICENSE-2.0.txt Apache Software License v2 (ASLv2)
who is working on this project?
Project Leader(s):
  • Cam Morris @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: Presentation given at the OWASP Denver SnowFROC View
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Cam Morris @ to contribute to this project
  • Contact Cam Morris @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases