removed latex code for better readability

SECURITY.md

@@ -2,116 +2,108 @@
 
 ---
 
-## **1. Overview**
+## 1. Overview
 This document analyzes the security of passwords generated by the application, which uses the following parameters:
-- **Length**: 32 characters
+- Length: 32 characters
-- **Character set**: Uppercase letters (`A-Z`), lowercase letters (`a-z`), digits (`0-9`)
+- Character set: Uppercase letters (A-Z), lowercase letters (a-z), digits (0-9)
-- **No special characters** (equivalent to `apg -a 1 -m 32 -n 1 -M NCL`)
+- No special characters (equivalent to `apg -a 1 -m 32 -n 1 -M NCL`)
 
 ---
 
-## **2. Keyspace Analysis**
+## 2. Keyspace Analysis
-### **2.1. Character Set and Length**
+### 2.1. Character Set and Length
-- **Character set size**: 26 (uppercase) + 26 (lowercase) + 10 (digits) = **62 possible characters per position**.
+- Character set size: 26 (uppercase) + 26 (lowercase) + 10 (digits) = **62 possible characters per position**.
-- **Password length**: 32 characters.
+- Password length: 32 characters.
 
-### **2.2. Total Keyspace**
+### 2.2. Total Keyspace
 The total number of possible passwords is calculated as:
-\[
+62^32 ≈ 1.46 × 10^57
-62^{32} \approx 1.46 \times 10^{57}
-\]
 This means there are **1.46 decillion** possible combinations.
 
 ---
 
-## **3. Brute-Force Resistance**
+## 3. Brute-Force Resistance
-### **3.1. Average Number of Guesses**
+### 3.1. Average Number of Guesses
 On average, an attacker would need to try half of the keyspace to guess the correct password:
-\[
+(62^32) / 2 ≈ 7.3 × 10^56 attempts
-\frac{62^{32}}{2} \approx 7.3 \times 10^{56} \text{ attempts}
-\]
 
-### **3.2. Time to Crack on Modern Hardware**
+### 3.2. Time to Crack on Modern Hardware
 | Hardware          | Hashes per Second | Time to Exhaust Keyspace       |
 |-------------------|-------------------|--------------------------------|
-| Modern CPU        | 10 billion        | \(7.3 \times 10^{46}\) seconds | \(\approx 2.3 \times 10^{39}\) years |
+| Modern CPU        | 10 billion        | 7.3 × 10^46 seconds            | ≈ 2.3 × 10^39 years            |
-| Modern GPU        | 100 billion       | \(7.3 \times 10^{45}\) seconds | \(\approx 2.3 \times 10^{38}\) years |
+| Modern GPU        | 100 billion       | 7.3 × 10^45 seconds            | ≈ 2.3 × 10^38 years            |
 
-**Note**: Even with **massive parallelization** (e.g., botnets or supercomputers), brute-forcing a 32-character password from this keyspace is **practically infeasible**.
+**Note**: Even with massive parallelization (e.g., botnets or supercomputers), brute-forcing a 32-character password from this keyspace is practically infeasible.
 
 ---
 
-## **4. Comparison with Shorter Passwords**
+## 4. Comparison with Shorter Passwords
-| Length | Keyspace (62 Characters) | Average Guesses | Time on GPU (100 GigaHashes/s) |
+| Length | Keyspace (62 Characters) | Average Guesses       | Time on GPU (100 GigaHashes/s) |
-|--------|--------------------------|-----------------|-------------------------------|
+|--------|--------------------------|-----------------------|-------------------------------|
-| 16     | \(4.7 \times 10^{28}\)    | \(2.35 \times 10^{28}\) | ~74 years                      |
+| 16     | 4.7 × 10^28              | 2.35 × 10^28          | ~74 years                      |
-| 24     | \(1.3 \times 10^{43}\)    | \(6.5 \times 10^{42}\) | ~2.1 million years            |
+| 24     | 1.3 × 10^43              | 6.5 × 10^42           | ~2.1 million years            |
-| 32     | \(1.46 \times 10^{57}\)   | \(7.3 \times 10^{56}\) | ~2.3 trillion years            |
+| 32     | 1.46 × 10^57             | 7.3 × 10^56           | ~2.3 trillion years            |
 
 ---
 
-## **5. Threat Model**
+## 5. Threat Model
-### **5.1. Brute-Force Attacks**
+### 5.1. Brute-Force Attacks
-- **Conclusion**: Brute-force attacks are **not a viable threat** for 32-character passwords.
+- **Conclusion**: Brute-force attacks are not a viable threat for 32-character passwords.
-- **Mitigation**: Ensure the system enforces **rate-limiting** to prevent automated guessing.
+- **Mitigation**: Ensure the system enforces rate-limiting to prevent automated guessing.
 
-### **5.2. Social Engineering and Side-Channel Attacks**
+### 5.2. Social Engineering and Side-Channel Attacks
-- **Social Engineering**: Phishing, keyloggers, or shoulder surfing are **more realistic threats** than brute-force attacks.
+- **Social Engineering**: Phishing, keyloggers, or shoulder surfing are more realistic threats than brute-force attacks.
 - **Side-Channel Attacks**: Timing attacks or power analysis could theoretically reduce security if the password verification is poorly implemented.
-  - **Mitigation**: Use **constant-time comparison** functions for password verification.
+  - **Mitigation**: Use constant-time comparison functions for password verification.
 
-### **5.3. Password Storage**
+### 5.3. Password Storage
-- **Hashing**: Always store passwords using **strong, adaptive hashing algorithms** like:
+- **Hashing**: Always store passwords using strong, adaptive hashing algorithms like:
-  - **Argon2** (recommended for new systems)
+  - Argon2 (recommended for new systems)
-  - **bcrypt** or **PBKDF2** (with high work factors)
+  - bcrypt or PBKDF2 (with high work factors)
-- **Salting**: Use a **unique salt per password** to prevent rainbow table attacks.
+- **Salting**: Use a unique salt per password to prevent rainbow table attacks.
 
 ---
 
-## **6. Practical Recommendations**
+## 6. Practical Recommendations
-### **6.1. For Users**
+### 6.1. For Users
 - **Password Managers**: Encourage the use of password managers to store and manage generated passwords.
 - **Multi-Factor Authentication (MFA)**: Always enable MFA where possible to add an extra layer of security.
 
-### **6.2. For Developers**
+### 6.2. For Developers
 - **Rate Limiting**: Implement rate limiting on authentication endpoints to slow down brute-force attempts.
-- **Secure Transmission**: Ensure passwords are transmitted over **TLS/SSL** to prevent interception.
+- **Secure Transmission**: Ensure passwords are transmitted over TLS/SSL to prevent interception.
 - **Password Policies**: Enforce policies that discourage password reuse and encourage regular updates.
 
-### **6.3. For DFIR and Incident Response**
+### 6.3. For DFIR and Incident Response
 - **Logging and Monitoring**: Log failed login attempts and monitor for unusual activity.
 - **Incident Response Plan**: Have a plan in place for compromised accounts, including forced password resets and user notification.
 
 ---
 
-## **7. Additional Considerations**
+## 7. Additional Considerations
-### **7.1. Extended Character Set**
+### 7.1. Extended Character Set
-If special characters are included (e.g., `!@#$%^&*`), the keyspace increases to:
+If special characters are included (e.g., !@#$%^&*), the keyspace increases to:
-\[
+72^32 ≈ 1.9 × 10^60
-72^{32} \approx 1.9 \times 10^{60}
+This further improves security but is not necessary for most use cases given the already massive keyspace.
-\]
-This further improves security but is **not necessary** for most use cases given the already massive keyspace.
 
-### **7.2. Entropy Calculation**
+### 7.2. Entropy Calculation
-The **entropy** of a 32-character password from a 62-character set is:
+The entropy of a 32-character password from a 62-character set is:
-\[
+log2(62^32) ≈ 192.6 bits
-\log_2(62^{32}) \approx 192.6 \text{ bits}
+This exceeds the 128-bit security level recommended by NIST for cryptographic applications.
-\]
-This exceeds the **128-bit security level** recommended by NIST for cryptographic applications.
 
 ---
 
-## **8. Conclusion**
+## 8. Conclusion
-The passwords generated by this application are **extremely secure** against brute-force attacks due to their length and character diversity. The primary risks lie in **human factors** (e.g., phishing, reuse) and **implementation flaws** (e.g., weak hashing, lack of rate limiting).
+The passwords generated by this application are extremely secure against brute-force attacks due to their length and character diversity. The primary risks lie in human factors (e.g., phishing, reuse) and implementation flaws (e.g., weak hashing, lack of rate limiting).
 
-For **DFIR and high-security environments**, combine these passwords with:
+For DFIR and high-security environments, combine these passwords with:
-- **Multi-Factor Authentication (MFA)**
+- Multi-Factor Authentication (MFA)
-- **Regular audits** of authentication logs
+- Regular audits of authentication logs
-- **User education** on social engineering risks
+- User education on social engineering risks
 
 ---
 
-## **9. References**
+## 9. References
 - [NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) (Digital Identity Guidelines)
 - [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
 - [Argon2: The Memory-Hard Function for Password Hashing](https://github.com/P-H-C/phc-winner-argon2)