Jump to content
Sign in to follow this  
Ryan

Password audit too forgiving

Recommended Posts

Two issues with the password audit:

1) It's way too forgiving, here is an example:

it rates the password "weak" as "very weak" (great, it is), "veryweak" as "good" (what? this would fall to a dictionary attack in seconds!)

2) No options in the password audit to find so-called "good" passwords. Every password I had in my library after importing from my old password manager was rated "good" or better. Some of them (since changed), I'm ashamed to admit were very bad passwords (as evidenced by them being what Enpass calls "good"), and I would have liked to have been able to do a search for these as well rather than just scrub through the manually.

Share this post


Link to post
Share on other sites

Hi @Ryan,

Thanks for sharing your thoughts. Our current password strength meter was designed primarily for our password generator only. It is entirely based on entropy calculation. Unfortunately it doesn't check for dictionary words because it is very highly unlikely that our  password generator will generate a dictionary based password. However, we do check for 10000 most commonly used passwords and mark them very weak. 

The good news is that a better password strength meter inspired from dropbox-zxcvbn is currently in primary stage of development. I would also like to share that a new password generator (with Diceware for pronounceable passwords) is ready to be rolled out for all supported platforms soon.
 

Share this post


Link to post
Share on other sites
On 26. 5. 2016 at 2:08 PM, Vinod Kumar said:

Hi @Ryan,

Thanks for sharing your thoughts. Our current password strength meter was designed primarily for our password generator only. It is entirely based on entropy calculation. Unfortunately it doesn't check for dictionary words because it is very highly unlikely that our  password generator will generate a dictionary based password. However, we do check for 10000 most commonly used passwords and mark them very weak. 

The good news is that a better password strength meter inspired from dropbox-zxcvbn is currently in primary stage of development. I would also like to share that a new password generator (with Diceware for pronounceable passwords) is ready to be rolled out for all supported platforms soon.
 

Hi,

it's been a while and there is no sign of update to password strength meter. I don't think that "123456123456123456" is "super" strong password - according to your meter it is. 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...