Add additional helper to calculate the minimum entropy #71
Description
I've been thinking on the state of current computing trends, the current pattern we have for specifying a minimum entropy is based on:
- setMinimumEntropy(Double minimumEntropy) - manual decision by human
- setMinimumEntropy(BigDecimal secondsToCrack, String guessType) - based on a fixed size cracking rig specified with setCrackingHardwareCost(final Long crackingHardwareCost)
If instead, we allowed the user to configure an average cost to crack password based on hash algorithm selected and calculated entropy of password within a fixed time period, it would allow our users to easily decide on a minimum entropy based on threat type and potential resources of adversary.
E.g., setMinimumEntropy(BigDecimal averageSpend, String guessType)
The averageSpend could be some cloud-based best $/hash per-algorithm and would account for the virtually unlimited parallelism you can throw at cracking problems with modern cloud hardware and a cartel or nation-state sized budget.
The threat model I am trying to alleviate, is the "my login database was leaked and now it's out in the public with user information and password hashes, however Nbvcxz was used to ensure passwords met some minimum entropy to so all passwords stored in this database are invulnerable to bruteforce attacks, and have no other obvious weakness that we can detect with targeted attacks (diceware for example).
This should allow of this library to configure it to their organization's threat level in a way that is more comprehensible to someone working in a corporate security department trying to decide how to configure software using Nbvcxz that surfaces this configuration to the user. It's the only real way to quantify how fast someone can break a password when they can rent (or botnet) a virtually unlimited supply of compute power can be put to task at cracking hashes.
Some links:
https://web.archive.org/web/20230106023836/https://security.stackexchange.com/questions/117392/password-cracking-time-vs-cost
https://web.archive.org/web/20230106023847/https://blog.1password.com/cracking-challenge-update/