Password strengh meter in KNewPasswordDialog

Rolf Eike Beer kde at opensource.sf-tec.de
Thu Apr 4 00:01:37 BST 2013


Am Mittwoch 03 April 2013, 18:47:17 schrieb Cristian Tibirna:
> On Wednesday 03 April 2013 22:39:47 Rolf Eike Beer wrote:
> > Hi all,
> > 
> > the current issue of (German) Linux Magazin has an article comparing some
> > GnuPG frontends. One issue discussed there is the "password strength
> > meter"
> > that gives e.g. 25% strength indication for things like 123456789. I don't
> > know about Kleopatra, but KGpg uses KNewPasswordDialog and it's strength
> > meter for this. I propose to change the algorithm used to calculate the
> > password strength to remove key sequences from the "length" calculation of
> > the password, i.e. 123 has the same length as 1. Also punish all passwords
> > harder that do not contain all types of characters,
> 
> http://xkcd.com/936/
> 
> > so a password
> > containing only lowercase characters and numbers needs to be much longer
> > than one also containing specials and uppercase characters.
> 
> Really, this whole "can be short because has mixed types of characters"
> nonsense has to die.

Not short, just shorter. So this boils down to the question: how can we count 
the bits of entropy?

> There is a math theory behind password strength. There might even be
> libraries capable of measuring this properly.
> 
> IMH (non-contributor) O, we should try to reuse here.

Adding dependencies would only affect 4.11, but I guess even for that the time 
may already be too short. Not that it wouldn't be a good idea for 4.12 if it's 
worth the effort.

Eike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20130404/e8124ca0/attachment.sig>


More information about the kde-core-devel mailing list