Authentication Flaws - Password Strength doesn't accept unix estimations from the recommended site

Question

Authentication Flaws - Password Strength doesn't accept unix estimations from the recommended site

Closed this issue 8 years ago · 2 comments

GoogleCodeExporter commented 8 years ago

What steps will reproduce the problem?
1. use website https://www.cnlab.ch/codecheck/check.php for Unix estimations
2. enter Unix estimations as answers
3. it will fail

What is the expected output? What do you see instead?
Actually windows and Unix estimations differ only in estimation for abzfez.

What version of the product are you using? On what operating system?
WebGoat 5.3 RC1. Fedora 14

Please provide any additional information below.
I would recommend to change the form with answers in such a way that 
answers are more universal and not so much bind with one solution.
Assuming the brute-force power of 1 000 000 hash/second the answers should be:
1) 123456 - 0 seconds        (dictionary based, one of top 100)
2) abzfez - up to 5 minutes  ( 26 chars on 6 positions = 26^6 seconds)
3) a9z1ez - up to 40 minutes ( 26+10 chars on 6 positions = 36^6 seconds)
4) aB8fEz - up to 16 hours   ( 26+26+10 chars on 6 positions = 62^6 seconds)
5) z8!E?7 - up to 50 days    ( 127 chars on 6 positions = 127^6 seconds)

Best regards
Michal Ambroz

Original issue reported on code.google.com by michal.a...@gmail.com on 19 Apr 2011 at 2:39

Answer 1 · 2016-02-17T22:53:31.000Z

Original comment by mayhe...@gmail.com on 19 Apr 2011 at 2:44

Changed state: Accepted
Added labels: Type-Other
Removed labels: Type-Defect

Answer 2 · 2016-02-17T22:53:31.000Z

Added your text as a guideline upon lesson completion

Original comment by mayhe...@gmail.com on 23 Apr 2012 at 1:24

Changed state: Fixed