Password strengh meter in KNewPasswordDialog

Rolf Eike Beer kde at opensource.sf-tec.de
Wed Apr 3 23:53:28 BST 2013


Am Mittwoch 03 April 2013, 14:53:40 schrieb Thiago Macieira:
> On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote:
> > Also punish all passwords harder
> > that do not contain all types of characters, so a password containing only
> > lowercase characters and numbers needs to be much longer than one also
> > containing specials and uppercase characters.
> 
> You do realise that a password isn't truly random if it has to contain all
> types? I hate when I'm forced to do that.
> 
> For example, here are 10 password generated with keepassx with Upper, lower,
> numbers, minus, underline, and special characters:
> 
> Note how there a few without digits. But since they're all
> randomly-generated using the same method, they all have the same
> probability.
> 
> For custom
> "!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", I
> get:
> 
> Out of ten, only three got all four types of characters. All *ten* got a
> score lower than 75, which is your threshold for the green colour.

There are 5 types of characters (also in the old algorithm): Uppercase, 
lowercase vowel, lowercase consonant, digits, and specials. You are right, and 
indeed there are 2 changes to the algorith that I do: penalize sequences and 
penalize too few types. Especially the later part may need some tweaks. From 
my point of view there is no need to divide lowercase characters in 2 classes, 
in an earlier version of my patch I even removed this.

> I generated 100 10-character passwords by base64 encoding /dev/urandom. With
> the old algorithm, 65% of the passwords were 100 points, 20% more between
> 90 and 99 and 10% between 80 and 89. With the new algorithm, only 14
> passwords got 100 points, 21% are between 80 and 99 and 40% of them are
> between 70 and 79 points. There was even one entry that got 30 points.
> 
> I have to increase the password length to 14 characters to 65% of 100
> points. And they're all random.

I have changed my algorithm in some ways and rechecked: removed vowel class, 
divide by one less than we have character classes, and both. Then your random 
passwords give better results with the new algorithm, sometimes even better 
than with the old one. There are a few exceptions (qbF\FdHCy, U2WVF9kLH) that 
still score worse with the new algorithm. One of them has no digit, the other 
no special, so I am not surprised as there are very few transitions between 
character classes in them.

So, yes, you are absolutely right. Suggestions about how to improve that 
absolutely welcome.

Eike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20130404/cd9855fb/attachment.sig>


More information about the kde-core-devel mailing list