zedisdad

Not only is the password generator garbage but so is the "strength" estimator. Right now all pronounceable 3-word passwords show up as weak, even with "digits" selected. Most websites I use do not allow for passwords longer than 20-characters, which means all my pronounceable passwords generated by Enpass are garbage. I recommend you go back to v5 if you can, which I did. The argument enpass is offering is that adding numbers does not improve strength much. That argument has a serious fallacy in it, which is that you know that a number is added. Every other generator I use shows that adding numbers at the end of words improves strength substantially. But if your generator always adds a number at the end of entire password, then yeah, enpass is right, "adding numbers" don't matter...

This entropy measure assumes that attacker knows I'm using a diceware password (which now thanks to this forum everyone knows that I do). But if you didn't know that i use diceware, throwing random numbers at random locations significantly improves the entropy. Do the math. Finally, it is pretty silly to have a feature that says "digits" in a password generation tool which only inserts one digit at the end of the password. Why include that feature to begin with? It does not hurt to include more random digits (we agree about that), and your only argument is that adding more digits does not improve entropy "too much" (we disagree about that). Unless you can quantify the cost vs benefit in adding digits at random locations in a pronounceable password, then at this point I see Enpass as being nothing but mule stubborn about this. So either remove this half-arsed feature, or add it properly. Z

@Vinod Kumar, While I am not a password generation expert, I will be surprised if i am wrong about this one, as as I am a data compression guy and I know my entropies. Telling me that a 3 word long password has always a digit at the end (e.g., cheetah-ford-plane2) has a smaller entropy than a password where the digits may be (or may not be) placed at beginning/end of every word (cheetah4-3ford-plane2). Just check the strength of both passwords above using any software (except your own) and you will see the difference in strength. Now the issue it seems is the way your dropbox password generator is computing strengths. It is not really computing entropy at all, but rather an estimate based on recognizable patterns. Bottom line is: I really do not like that your password generator always tells me that my 20-character pronounceable passwords are weak. Many websites constrain length to 20. I see 3 fixes: 1) manually add numbers at beginning/end of every word (I don't know why Enpass doesn't do this anyway already, what's the downside?), 2) ignore your strength estimator, which will ultimately lead to 3) use another software than Enpass. Z

Alfredo, this is not the issue I am talking about here but, to answer your question, Enpass say they are using a new password strength estimator (called zxcvbn). When looking into it, it appears that zxcvbn is a rapid/low-resource password strength estimation algorithm. Some comparisons have been made between zxcvbn and other strength estimation methods, and the result really depends on what you use as the metric. I think zxcvbn really hates pronounceable passwords (because it searches for patterns in the password). I personally am starting to ignore the strength estimation I am seeing with Enpass 6.0. Still, the main problem is not strength estimation for me, it's generating weak passwords by only adding ONE digit to the end of the entire password. This is a bug, it was not like this in previous versions. Z

Your 'new' password generator may potentially have a bug. If you select Pronounceable passwords, and Include Digits, then it only adds ONE digit at the end of the string of characters. In previous versions, the generator would add a number at beginning/end of every 'word' element, thus making the same length password much stronger. Right now, all your 3 word pronounceable passwords come up as 'weak,' which is ridiculous. I don't get 'good' pronounceable passwords until I hit 6 words, ~40 characters, which most websites that I use won't accept. Please fix this asap, this is a serious flaw, unless i completely misunderstand this new 'feature.' Thanks, Z OS: Mac 10.13 High Sierra Enpass: v6.0.0