NAME
Data::Password::zxcvbn::TimeEstimate - functions to estimate cracking times
VERSION
version 1.0.6
SYNOPSIS
use Data::Password::zxcvbn::TimeEstimate qw(estimate_attack_times);
my $estimates = estimate_attack_times($number_of_guesses);
DESCRIPTION
This module provides functions for back-of-the-envelope crack time estimations, in seconds, based on a few scenarios.
FUNCTIONS
estimate_attack_times
my $estimates = estimate_attack_times($number_of_guesses);
Returns a hashref with two keys:
crack_times_seconds
hashref of back-of-the-envelope crack time estimations, in seconds, based on a few scenarios:
online_throttling_100_per_hour
online attack on a service that rate-limits authentication attempts
online_no_throttling_10_per_second
online attack on a service that doesn't rate-limit, or where an attacker has outsmarted rate-limiting.
offline_slow_hashing_1e4_per_second
offline attack. assumes multiple attackers, proper user-unique salting, and a slow hash function with moderate work factor, such as bcrypt, scrypt, PBKDF2.
offline_fast_hashing_1e10_per_second
offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5. A wide range of reasonable numbers anywhere from one billion - one trillion guesses per second, depending on number of cores and machines; ball-parking at 10B/sec.
crack_times_display
same keys as
crack_times_seconds
, but more useful for display: the values are arrayrefs["english string",$value]
that can be passed to I18N libraries likeLocale::Maketext
to get localised versions with proper plurals
guesses_to_score
my $score = guesses_to_score($number_of_guesses);
Returns an integer from 0-4 (useful for implementing a strength bar):
0
too guessable: risky password. (
guesses < 10e3
)1
very guessable: protection from throttled online attacks. (
guesses < 10e6
)2
somewhat guessable: protection from un-throttled online attacks. (
guesses < 10e8
)3
safely un-guessable: moderate protection from offline slow-hash scenario. (
guesses < 10e10
)4
very un-guessable: strong protection from offline slow-hash scenario. (
guesses >= 10e10
)
display_time
my ($string,@values) = @{ display_time($time) };
print My::Localise->get_handle->maketext($string,@values);
Given a $time
in seconds, returns an arrayref suitable for Locale::Maketext
, like:
[ 'quant,_1,day', 23 ]
AUTHOR
Gianni Ceccarelli <gianni.ceccarelli@broadbean.com>
COPYRIGHT AND LICENSE
This software is copyright (c) 2022 by BroadBean UK, a CareerBuilder Company.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.