The MOAC repository consists of tools and libraries that take a unique approach to generating passwords and analyzing their strength. This software is concerned only with password strength, and knows nothing about the context in which passwords will be used; as such, it makes the assumption that password guessability is the only metric that matters, and a brute-force attack is constrained only by the laws of physics. It's inspired by a blog post I wrote: Becoming physically immune to brute-force attacks.
Users provide given values like the mass available to attackers, a time limit for the brute-force attack, and the energy available.
moac outputs the likelihood of a successful attack or the minimum password entropy for a possible brute-force failure. Entropy is calculated with the assumption that passwords are randomly generated.
moac-pwgen can also generate passwords capable of withstanding a brute-force attack limited by given physical quantities.
My original intent when making this tool was to illustrate how easy it is to make a password whose strength is "overkill". It has since evolved into a generic password generator and evaluator.
MOAC is actively developed as of September 2021. It's almost ready for a v1.0.0 release; I'd just like to hear some opinions/feedback before I tag+push.
make(tested with GNU Make,
bmake, and OpenBSD Make)
scdoc(for building manpages)
sudo make install # Install in /usr/local/ by default
If a value is provided and that value can be computed from other given values, the computed value will replace the provided value if the computed value is a greater bottleneck.
If the user supplies both mass and energy, the given energy will be replaced with the mass-energy of the provided mass if the given mass-energy is lower.
If the user supplies both a password and a password entropy, the given entropy will be replaced with the calculated entropy of the provided password if the calculated entropy is lower. If the user does not supply entropy or the physical values necessary to calculate it, the default entropy is
256 (the key length of AES-256).
Time and energy are the two bottlenecks to computation; the final result will be based on whichever is a greater bottleneck. Unless the lower bound of the energy per guess is orders of magnitude below the Landauer limit, energy should always be a greater bottleneck.
When physical quantities are not given, default physical quantities are the mass of the visible universe and the power required to achieve Bremermann's limit at the energy efficiency given by the Landauer limit.
The novel The Hitchhiker's Guide to the Galaxy revealed the Earth to be a supercomputer built to understand "the answer to Life, the Universe, and Everything". The computation was supposed to finish sometime around now.
Let's assume this is a maximally efficient quantum computer powered by the Earth's mass-energy:
$ moac -qm 5.97e24 -t 1.45e17 entropy-limit 427
Understanding the answer to Life, the Universe, and Everything requires less than
2^427 computations. If the same computer instead tried to brute-force a password, what kind of password might be out of its reach?
$ moac-pwgen -qm 5.97e24 -t 1.45e17 lowercase uppercase numbers symbols latin ɥìƄ¦sČÍM²ȬïľA\ɻ¨zŴǓĤúǓ¤ʬƗ;ɮĢƃƅǞɃƜʌȴɖǃƨǥ_Ǝ3ſǹǅɃ8ɟ
If the same computer instead tried to guess the password
,ȿĢıqɽȂīĲďɖȟMǧiœcɪʊȦĻțșŌƺȰ&ǡśŗȁĵɍɞƋIŀƷ?}ʯ4ůʑʅęȳŞ, there's a chance that it wouldn't have succeeded in time.
Note: given that the Earth wasn't hollow during the book's opening, it's unlikely that the Earth consumed its own mass to compute. Further research is necessary; perhaps it used solar power, or secret shipments of tiny black-hole batteries? Organic life was supposed to provide a large part of its functionality, so maybe we should restrict ourselves to the Earth's biomass.
Two reasons: the blog post I wrote (linked at the top) got me itching to implement its ideas, and I also want to use a good password generator in a password manager I'm working on.
It takes a very naive approach, assuming that any attacker is optimizing for randomly-generated passwords. More specifically, it measures password entropy as if
moac-pwgen generated the password. All it does it guess which charsets are used and measure permutations of available characters for the given password length.