[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Password strengh meter in KNewPasswordDialog
From:       Thiago Macieira <thiago () kde ! org>
Date:       2013-04-03 21:53:40
Message-ID: 7544328.PmaHQdPRhb () tjmaciei-mobl2
[Download RAW message or body]


On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote:
> Also punish all passwords harder 
> that do not contain all types of characters, so a password containing only 
> lowercase characters and numbers needs to be much longer than one also 
> containing specials and uppercase characters.

You do realise that a password isn't truly random if it has to contain all 
types? I hate when I'm forced to do that.

For example, here are 10 password generated with keepassx with Upper, lower, 
numbers, minus, underline, and special characters:

				old	/ new
"d3(;$puO		82	82
S+157jz"9		92	72
4Q%p6sZwo		100	100
0We|va}!G		92	92
*+"$ZIf6p		72	62

'HC4@xiH?		82	80
qbF\FdHCy		82	52
'$Y(7sy8<		100	82
)Nxrml@u[		100	90
U-+*al`S)		82	62

Note how there a few without digits. But since they're all randomly-generated 
using the same method, they all have the same probability.

For custom 
"!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", I 
get:

4xy1pIrwy		100	60
rv8AaI6G8		92	70
YHbcA5C38		92 	60
h@abfjih6		72	55
m!58L!TOD		52	42

GNxzg&Rxz		82	52
SFZN5$k@m		82	62
7bmDx@*SW		82	72
U2WVF9kLH		82	47
tgD4cYGjo		82	62

Out of ten, only three got all four types of characters. All *ten* got a score 
lower than 75, which is your threshold for the green colour.

I generated 100 10-character passwords by base64 encoding /dev/urandom. With 
the old algorithm, 65% of the passwords were 100 points, 20% more between 90 
and 99 and 10% between 80 and 89. With the new algorithm, only 14 passwords 
got 100 points, 21% are between 80 and 99 and 40% of them are between 70 and 
79 points. There was even one entry that got 30 points.

I have to increase the password length to 14 characters to 65% of 100 points. 
And they're all random.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]