[lolbrainwallets]

This is a bad cryptosystem which will result in people being fucked. Take it offline. A serious known weakness of zxcvbn is that it will grossly overestimate the entropy of things like quotes, lines from songs, lines from movies, etc.

"the quick brown fox jumps over the lazy dog" has 111 bits of entropy according to zxcvbn.

[ff7c11]

Yeah use of zxcvbn is a problem. Minilock's key strength checking goes[0]:

  key.length > 32 && zxcvbn(key).entropy > 100

Firstly minilock allows the following: zxcvbn(". . . . . . . . . . . . . . . . ").entropy = 161.421 [1]

Secondly this only really works for English. While they are used to being forced to use English passwords, we can't expect that speakers of other languages would like English passphrases. It also has heuristics making assumptions of how people choose passwords (e.g. l33tifying) which may be less valid for longer phrases than short passwords. zxcvbn uses all English word lists and keyboard layout and automatically gives you a Unicode bonus[2] if you use unexpected characters. If I write a sentence in Chinese, I have a high entropy. Here minilock actually penalises Chinese by adding the key.length > 32 requirement as 32 Chinese characters is equivalent to a much longer English passphrase. I suggest lowering the key length requirement in this case. However, if my passphrase were in Arabic and my attacker knew it was likely to be in the Arabic alphabet, I'm not really entitled to the aforementioned Unicode bonus as the entropy drops to be similar to English (I think).

That said, the design decisions of zxcvbn do make sense for Dropbox and zxcvbn is not the crucial part of the minilock program (the crypto is). Users will always find a way to game the system and find the lowest possible entropy passphrase.

[0] https://github.com/kaepora/miniLock/blob/80aff2cdbcebf669fae... [1] https://github.com/dropbox/zxcvbn/issues/39 [2] https://github.com/dropbox/zxcvbn/blob/0a8b5b65a1864437eaac5...

[sillysaurus3]

Please don't use language like "People will get fucked" when critiquing a cryptosystem. HN is better than that.

Tarsnap has no restrictions on passphrase entropy whatsoever, yet people have no problem with Tarsnap. It's interesting that people are singling out Minilock for this feature. Is this the worst thing that can be said about Minilock?

EDIT: I accidentally said Tarsnap; I meant Scrypt.

[lolbrainwallets]

Tarsnap does not allow anyone who has your public key to attempt to crack your paraphrase. Minilock does, and in fact you can load all public keys into a bloom filter and crack them simultaniously with nearly the same speed as a single key. The design of this system is simply irresponsible. Saying people will be fucked is entirely appropriate here.

[sillysaurus3]

Hmm, I meant Scrypt. You can use Scrypt to encrypt files using a passphrase with no entropy restrictions. It doesn't use keys. People never raised this concern about Scrypt, and certainly didn't say people would get fucked for using it. What am I missing here? Why does Minilock warrant this outrage, but not Scrypt?

https://www.tarsnap.com/scrypt.html

[lolbrainwallets]

That tool generates a random salt, so passphrase cracking time is O(n) where n is the number of files being cracked vs O(1) for Minilock public keys. Additionally, encrypted files are generally still not "public", whereas Minilock public keys likely would be.

[andor]

Assuming that all files are encrypted with the same passphrase, and you crack the passphrase, not the key generated from kdf(salt, passphrase), complexity is O(1) for Minilock as well.

[tveita]

Tarsnap generates a key file - your password is not used directly to derive the key. A password is used for your account, and for encrypting the key file.

[rando289]

It is in a "a feedback period", exactly so they can get the feedback like you just gave. So get off your high horse about taking things down.

[CHY872]

Not really. The feedback period is for things like UX etc - this essentially makes the software (as usual for these homebrew efforts) much less secure than you think it is. When the primary reason that this software is at all secure is that it enforces a minimum entropy, if there's a bug in that then no one should use the software.

[rando289]

I don't see any evidence of the feedback being "for things like UX"

I also don't think the word homebrew is appropriate. Afaik homebrew means, 1 making beer at home. 2 apple package manager. 3. Term generally for endeavours connected to corporate products/projects but themselves small and independent.

[cordite]

It took me awhile to figure out what zxcvbn referred to. I even looked at the source code which was in the repository and found 'zxcvbn' in the weak password list.

Finally, whilst on my tablet, I noticed that it was as obvious as the "QWERTY" keyboard that showed up on screen. As a primarily-dvorak user, such a silly stroke of keys had not occurred to me and gave me a bit of a laugh.

[thibauts]

I still have a lot to learn about information theory and I'd like to have expert input regarding entropy. Is it believed / agreed upon that entropy is an objective measure ? It seems obvious to me that it is absolutely relative and meaningless without the associated computation method / prior information.