Password strengh meter in KNewPasswordDialog
Rolf Eike Beer
kde at opensource.sf-tec.de
Wed Apr 3 23:53:28 BST 2013
Am Mittwoch 03 April 2013, 14:53:40 schrieb Thiago Macieira:
> On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote:
> > Also punish all passwords harder
> > that do not contain all types of characters, so a password containing only
> > lowercase characters and numbers needs to be much longer than one also
> > containing specials and uppercase characters.
> You do realise that a password isn't truly random if it has to contain all
> types? I hate when I'm forced to do that.
> For example, here are 10 password generated with keepassx with Upper, lower,
> numbers, minus, underline, and special characters:
> Note how there a few without digits. But since they're all
> randomly-generated using the same method, they all have the same
> For custom
> "!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", I
> Out of ten, only three got all four types of characters. All *ten* got a
> score lower than 75, which is your threshold for the green colour.
There are 5 types of characters (also in the old algorithm): Uppercase,
lowercase vowel, lowercase consonant, digits, and specials. You are right, and
indeed there are 2 changes to the algorith that I do: penalize sequences and
penalize too few types. Especially the later part may need some tweaks. From
my point of view there is no need to divide lowercase characters in 2 classes,
in an earlier version of my patch I even removed this.
> I generated 100 10-character passwords by base64 encoding /dev/urandom. With
> the old algorithm, 65% of the passwords were 100 points, 20% more between
> 90 and 99 and 10% between 80 and 89. With the new algorithm, only 14
> passwords got 100 points, 21% are between 80 and 99 and 40% of them are
> between 70 and 79 points. There was even one entry that got 30 points.
> I have to increase the password length to 14 characters to 65% of 100
> points. And they're all random.
I have changed my algorithm in some ways and rechecked: removed vowel class,
divide by one less than we have character classes, and both. Then your random
passwords give better results with the new algorithm, sometimes even better
than with the old one. There are a few exceptions (qbF\FdHCy, U2WVF9kLH) that
still score worse with the new algorithm. One of them has no digit, the other
no special, so I am not surprised as there are very few transitions between
character classes in them.
So, yes, you are absolutely right. Suggestions about how to improve that
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the kde-core-devel