From f036cf2dfcdf5a33b8f28c194003ac2455ba501b Mon Sep 17 00:00:00 2001 From: Stefan Marsiske Date: Thu, 14 Dec 2023 20:41:16 +0000 Subject: [PATCH] added proposal to caveat the server-side registration warning (#437) * added proposal to caveat the server-side registration warning * accepted Kevins proposal --- draft-irtf-cfrg-opaque.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-irtf-cfrg-opaque.md b/draft-irtf-cfrg-opaque.md index a3ed5fe1..02e3946b 100644 --- a/draft-irtf-cfrg-opaque.md +++ b/draft-irtf-cfrg-opaque.md @@ -2266,9 +2266,9 @@ offline dictionary attack to recover the original password. Some applications may require learning the client's password for enforcing password rules. Doing so invalidates this important security property of OPAQUE and is -NOT RECOMMENDED. Applications should move such checks to the client. Note that -limited checks at the server are possible to implement, e.g., detecting repeated -passwords upon re-registrations or password change. +NOT RECOMMENDED, unless it is not possible for applications to move such checks +to the client. Note that limited checks at the server are possible to implement, e.g., +detecting repeated passwords upon re-registrations or password change. In general, passwords should be selected with sufficient entropy to avoid being susceptible to recovery through dictionary attacks, both online and offline.