Password strengh meter in KNewPasswordDialog

Rolf Eike Beer kde at opensource.sf-tec.de
Wed Apr 3 21:39:47 BST 2013 

Hi all,

the current issue of (German) Linux Magazin has an article comparing some 
GnuPG frontends. One issue discussed there is the "password strength meter" 
that gives e.g. 25% strength indication for things like 123456789. I don't 
know about Kleopatra, but KGpg uses KNewPasswordDialog and it's strength meter 
for this. I propose to change the algorithm used to calculate the password 
strength to remove key sequences from the "length" calculation of the 
password, i.e. 123 has the same length as 1. Also punish all passwords harder 
that do not contain all types of characters, so a password containing only 
lowercase characters and numbers needs to be much longer than one also 
containing specials and uppercase characters.

I've attached my strength test program containing both the old and the 
proposed new version of the code. I've tested the new version in 2 variants, 
once with and without the call to toLower() before checking for sequences. 
These are some test passwords I used, mostly some examples of "simple" 
passwords users will use. The last one is a scrambled version of a password I 
saw used somewhere (i.e. every letter replaced with something from the same 
character class to retain the score) that was not totally obvious.

             old nEw new
abcdef        45  12  12
abcdefghi     72  22  22
1             12   1   1
12            15   2   2
123           17   2   2
1234          20   2   2
12345         22   2   2
123456        25   2   2
123456789     32   2   2
qwertz        45  25  25
1234test      40  20  20
test1234      30  10  10
a1b2c3d4     100  60  60
a1b2c3d4e5   100  85  85
a1b2c3d4e5f6 100 100 100
a1a1a1a1      40  20  20
........      30   2   2
KKvfnDd.      90  57  55

Also I propose to change the color of the strength indicator to red below 50% 
and to yellow below 75%. Since this does not affect any strings and improves 
security I would also push this into 4.10 in noone objects.

Comments?

Eike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pwdstrength.cpp
Type: text/x-c++src
Size: 4108 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20130403/f0157ebf/attachment.cpp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20130403/f0157ebf/attachment.sig>

More information about the kde-core-devel mailing list