On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote: > Also punish all passwords harder > that do not contain all types of characters, so a password containing only > lowercase characters and numbers needs to be much longer than one also > containing specials and uppercase characters.
You do realise that a password isn't truly random if it has to contain all types? I hate when I'm forced to do that. For example, here are 10 password generated with keepassx with Upper, lower, numbers, minus, underline, and special characters: old / new "d3(;$puO 82 82 S+157jz"9 92 72 4Q%p6sZwo 100 100 0We|va}!G 92 92 *+"$ZIf6p 72 62 'HC4@xiH? 82 80 qbF\FdHCy 82 52 '$Y(7sy8< 100 82 )Nxrml@u[ 100 90 U-+*al`S) 82 62 Note how there a few without digits. But since they're all randomly-generated using the same method, they all have the same probability. For custom "!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", I get: 4xy1pIrwy 100 60 rv8AaI6G8 92 70 YHbcA5C38 92 60 h@abfjih6 72 55 m!58L!TOD 52 42 GNxzg&Rxz 82 52 SFZN5$k@m 82 62 7bmDx@*SW 82 72 U2WVF9kLH 82 47 tgD4cYGjo 82 62 Out of ten, only three got all four types of characters. All *ten* got a score lower than 75, which is your threshold for the green colour. I generated 100 10-character passwords by base64 encoding /dev/urandom. With the old algorithm, 65% of the passwords were 100 points, 20% more between 90 and 99 and 10% between 80 and 89. With the new algorithm, only 14 passwords got 100 points, 21% are between 80 and 99 and 40% of them are between 70 and 79 points. There was even one entry that got 30 points. I have to increase the password length to 14 characters to 65% of 100 points. And they're all random. -- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Software Architect - Intel Open Source Technology Center PGP/GPG: 0x6EF45358; fingerprint: E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
signature.asc
Description: This is a digitally signed message part.