Authentication Flaws - Password Strength doesn't accept unix estimations from the recommended site
Closed this issue · 2 comments
GoogleCodeExporter commented
What steps will reproduce the problem?
1. use website https://www.cnlab.ch/codecheck/check.php for Unix estimations
2. enter Unix estimations as answers
3. it will fail
What is the expected output? What do you see instead?
Actually windows and Unix estimations differ only in estimation for abzfez.
What version of the product are you using? On what operating system?
WebGoat 5.3 RC1. Fedora 14
Please provide any additional information below.
I would recommend to change the form with answers in such a way that
answers are more universal and not so much bind with one solution.
Assuming the brute-force power of 1 000 000 hash/second the answers should be:
1) 123456 - 0 seconds (dictionary based, one of top 100)
2) abzfez - up to 5 minutes ( 26 chars on 6 positions = 26^6 seconds)
3) a9z1ez - up to 40 minutes ( 26+10 chars on 6 positions = 36^6 seconds)
4) aB8fEz - up to 16 hours ( 26+26+10 chars on 6 positions = 62^6 seconds)
5) z8!E?7 - up to 50 days ( 127 chars on 6 positions = 127^6 seconds)
Best regards
Michal Ambroz
Original issue reported on code.google.com by michal.a...@gmail.com
on 19 Apr 2011 at 2:39
GoogleCodeExporter commented
Original comment by mayhe...@gmail.com
on 19 Apr 2011 at 2:44
- Changed state: Accepted
- Added labels: Type-Other
- Removed labels: Type-Defect
GoogleCodeExporter commented
Added your text as a guideline upon lesson completion
Original comment by mayhe...@gmail.com
on 23 Apr 2012 at 1:24
- Changed state: Fixed