On Thursday 04 April 2013 00:53:28 Rolf Eike Beer wrote: > Am Mittwoch 03 April 2013, 14:53:40 schrieb Thiago Macieira: > > On quarta-feira, 3 de abril de 2013 22.39.47, Rolf Eike Beer wrote: > > > Also punish all passwords harder > > > that do not contain all types of characters, so a password > > > containing only lowercase characters and numbers needs to be > > > much longer than one also containing specials and uppercase > > > characters. > > > > You do realise that a password isn't truly random if it has to > > contain all types? I hate when I'm forced to do that. > > > > For example, here are 10 password generated with keepassx with > > Upper, lower, numbers, minus, underline, and special characters: > > > > Note how there a few without digits. But since they're all > > randomly-generated using the same method, they all have the same > > probability. > > > > For custom > > "!@#$%^&*abcdefghijklmnopqrstuvxwyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123 > > 456789", I get: > > > > Out of ten, only three got all four types of characters. All > > *ten* got a score lower than 75, which is your threshold for the > > green colour. > > There are 5 types of characters (also in the old algorithm): > Uppercase, lowercase vowel, lowercase consonant, digits, and > specials. You are right, and indeed there are 2 changes to the > algorith that I do: penalize sequences and penalize too few types. > Especially the later part may need some tweaks. From my point of > view there is no need to divide lowercase characters in 2 classes, > in an earlier version of my patch I even removed this.
The distinction between vowels and consonants has been added to try to detect normal words. The password "kgnlhtbm" should have a higher score compared to "pibatero". In the latter, the changes between vowels and consonants make it look like a word (even it isn't, at least not in any language I know). > > > I generated 100 10-character passwords by base64 encoding > > /dev/urandom. With the old algorithm, 65% of the passwords were > > 100 points, 20% more between 90 and 99 and 10% between 80 and > > 89. With the new algorithm, only 14 passwords got 100 points, > > 21% are between 80 and 99 and 40% of them are between 70 and 79 > > points. There was even one entry that got 30 points. > > > > I have to increase the password length to 14 characters to 65% of > > 100 points. And they're all random. > > I have changed my algorithm in some ways and rechecked: removed > vowel class, divide by one less than we have character classes, > and both. Then your random passwords give better results with the > new algorithm, sometimes even better than with the old one. There > are a few exceptions (qbF\FdHCy, U2WVF9kLH) that still score worse > with the new algorithm. One of them has no digit, the other no > special, so I am not surprised as there are very few transitions > between character classes in them. > > So, yes, you are absolutely right. Suggestions about how to improve > that absolutely welcome. > > Eike Christoph Feck (kdepepo) KDE Quality Team
