Security Policy: Difference between revisions

Security Policy (view source)

Revision as of 20:53, 23 March 2007

1,490 bytes removed , 23 March 2007

m

→‎Strength of Authentication Mechanism

Glen

219

edits

@@ Line 8: / Line 8: @@
-===Strength of Authentication Mechanism===
-In FIPS mode, the NSS cryptographic module imposes the following requirements on the password.
-* The password must be at least '''seven''' characters long.
-* The password must consist of characters from '''three or more character classes'''. We define five character classes: digits (0-9), ASCII lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric characters (such as space and punctuation marks), and non-ASCII characters.  If an ASCII uppercase letter is the first character of the password, the uppercase letter is not counted toward its character class.  Similarly, if a digit is the last character of the password, the digit is not counted toward its character class.
-To estimate the probability that a random guess of the password will succeed, we assume that
-* the characters of the password are '''independent''' with each other, and
-* the probability of guessing an individual character of the password is < '''1/10'''.
-Since the password is >= 7 characters long, the probability that a random guess of the password will succeed is < (1/10)^7 = 1/10,000,000.
-After each failed authentication attempt in FIPS mode, the NSS cryptographic module inserts a one-second delay before returning to the caller, allowing at most 60 authentication attempts during a one-minute period. Therefore, the probability of a successful random guess of the password during a one-minute period is < 60 * 1/10,000,000 = 0.6 * (1/100,000).