[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Password strengh meter in KNewPasswordDialog
From:       Christoph Feck <christoph () maxiom ! de>
Date:       2013-04-04 7:22:46
Message-ID: 201304040922.46836.christoph () maxiom ! de
[Download RAW message or body]

On Thursday 04 April 2013 00:53:28 Rolf Eike Beer wrote:
> Am Mittwoch 03 April 2013, 14:53:40 schrieb Thiago Macieira:
> > On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer 
wrote:
> > > Also punish all passwords harder
> > > that do not contain all types of characters, so a password
> > > containing only lowercase characters and numbers needs to be
> > > much longer than one also containing specials and uppercase
> > > characters.
> > 
> > You do realise that a password isn't truly random if it has to
> > contain all types? I hate when I'm forced to do that.
> > 
> > For example, here are 10 password generated with keepassx with
> > Upper, lower, numbers, minus, underline, and special characters:
> > 
> > Note how there a few without digits. But since they're all
> > randomly-generated using the same method, they all have the same
> > probability.
> > 
> > For custom
> > 
"!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123
> > 456789", I get:
> > 
> > Out of ten, only three got all four types of characters. All
> > *ten* got a score lower than 75, which is your threshold for the
> > green colour.
> 
> There are 5 types of characters (also in the old algorithm):
> Uppercase, lowercase vowel, lowercase consonant, digits, and
> specials. You are right, and indeed there are 2 changes to the
> algorith that I do: penalize sequences and penalize too few types.
> Especially the later part may need some tweaks. From my point of
> view there is no need to divide lowercase characters in 2 classes,
> in an earlier version of my patch I even removed this.

The distinction between vowels and consonants has been added to try to 
detect normal words. The password "kgnlhtbm" should have a higher 
score compared to "pibatero". In the latter, the changes between 
vowels and consonants make it look like a word (even it isn't, at 
least not in any language I know).

> 
> > I generated 100 10-character passwords by base64 encoding
> > /dev/urandom. With the old algorithm, 65% of the passwords were
> > 100 points, 20% more between 90 and 99 and 10% between 80 and
> > 89. With the new algorithm, only 14 passwords got 100 points,
> > 21% are between 80 and 99 and 40% of them are between 70 and 79
> > points. There was even one entry that got 30 points.
> > 
> > I have to increase the password length to 14 characters to 65% of
> > 100 points. And they're all random.
> 
> I have changed my algorithm in some ways and rechecked: removed
> vowel class, divide by one less than we have character classes,
> and both. Then your random passwords give better results with the
> new algorithm, sometimes even better than with the old one. There
> are a few exceptions (qbF\FdHCy, U2WVF9kLH) that still score worse
> with the new algorithm. One of them has no digit, the other no
> special, so I am not surprised as there are very few transitions
> between character classes in them.
> 
> So, yes, you are absolutely right. Suggestions about how to improve
> that absolutely welcome.
> 
> Eike

Christoph Feck (kdepepo)
KDE Quality Team
[prev in list] [next in list] [prev in thread] [next in thread]