[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Password strengh meter in KNewPasswordDialog
From:       Rolf Eike Beer <kde () opensource ! sf-tec ! de>
Date:       2013-04-03 23:01:37
Message-ID: 1946796.E8YRhEoaDS () eto
[Download RAW message or body]


Am Mittwoch 03 April 2013, 18:47:17 schrieb Cristian Tibirna:
> On Wednesday 03 April 2013 22:39:47 Rolf Eike Beer wrote:
> > Hi all,
> > 
> > the current issue of (German) Linux Magazin has an article comparing some
> > GnuPG frontends. One issue discussed there is the "password strength
> > meter"
> > that gives e.g. 25% strength indication for things like 123456789. I don't
> > know about Kleopatra, but KGpg uses KNewPasswordDialog and it's strength
> > meter for this. I propose to change the algorithm used to calculate the
> > password strength to remove key sequences from the "length" calculation of
> > the password, i.e. 123 has the same length as 1. Also punish all passwords
> > harder that do not contain all types of characters,
> 
> http://xkcd.com/936/
> 
> > so a password
> > containing only lowercase characters and numbers needs to be much longer
> > than one also containing specials and uppercase characters.
> 
> Really, this whole "can be short because has mixed types of characters"
> nonsense has to die.

Not short, just shorter. So this boils down to the question: how can we count 
the bits of entropy?

> There is a math theory behind password strength. There might even be
> libraries capable of measuring this properly.
> 
> IMH (non-contributor) O, we should try to reuse here.

Adding dependencies would only affect 4.11, but I guess even for that the time 
may already be too short. Not that it wouldn't be a good idea for 4.12 if it's 
worth the effort.

Eike
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]