On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote: > Also punish all passwords harder > that do not contain all types of characters, so a password containing only > lowercase characters and numbers needs to be much longer than one also > containing specials and uppercase characters.
You do realise that a password isn't truly random if it has to contain all
types? I hate when I'm forced to do that.
For example, here are 10 password generated with keepassx with Upper, lower,
numbers, minus, underline, and special characters:
old / new
"d3(;$puO 82 82
S+157jz"9 92 72
4Q%p6sZwo 100 100
0We|va}!G 92 92
*+"$ZIf6p 72 62
'HC4@xiH? 82 80
qbF\FdHCy 82 52
'$Y(7sy8< 100 82
)Nxrml@u[ 100 90
U-+*al`S) 82 62
Note how there a few without digits. But since they're all randomly-generated
using the same method, they all have the same probability.
For custom
"!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", I
get:
4xy1pIrwy 100 60
rv8AaI6G8 92 70
YHbcA5C38 92 60
h@abfjih6 72 55
m!58L!TOD 52 42
GNxzg&Rxz 82 52
SFZN5$k@m 82 62
7bmDx@*SW 82 72
U2WVF9kLH 82 47
tgD4cYGjo 82 62
Out of ten, only three got all four types of characters. All *ten* got a score
lower than 75, which is your threshold for the green colour.
I generated 100 10-character passwords by base64 encoding /dev/urandom. With
the old algorithm, 65% of the passwords were 100 points, 20% more between 90
and 99 and 10% between 80 and 89. With the new algorithm, only 14 passwords
got 100 points, 21% are between 80 and 99 and 40% of them are between 70 and
79 points. There was even one entry that got 30 points.
I have to increase the password length to 14 characters to 65% of 100 points.
And they're all random.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
signature.asc
Description: This is a digitally signed message part.
