Is Enpass' password strength checker overly conservative leading to longer passwords than necessary?

[Mando]

Please see this post which I found which is very similar to my questions:

https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241

 

They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list:
https://www.passwordmonster.com/
https://nordpass.com/secure-password/
https://bitwarden.com/password-strength/

The answer in that other post was the following:
"Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass
estimates strength of a password."

For me, I feel that this misses the point somewhat. The point for me is to answer the following:

• Do we agree to the original point, which is that all these other sites are providing more favorable assessments than Enpass?
• Do we agree, alone or in aggregate, that these sites provide assessments that we can rely on? i.e. if they say a password is strong, then it is strong? If they say it takes centuries to crack a password, then that is what it takes?
• Do we agree that this results in more unwieldy passwords when following Enpass advice?
• Are these unwieldy passwords warranted, or are they unnecessarily long and complicated? In the case of a three-word passphrase, should we really keep inflating a supposedly "weak" password to 4 or 5 or 6 or 7 words (and only 8 actually seems to induce an "excellent" rating in Enpass) when all these other password checkers say the three-word passphrase is STRONG and will take centuries to crack?

In the end, I find myself having to exit Enpass and go over to these websites to feel confident that the password complexity is really necessary. Please, I hope no one says that ever-longer passwords "can't hurt." They do. They lead to non-compliance amongst many other things I'm sure, I don't pretend to be an expert. But I know this: not everyone in my family uses password managers. I'm trying to convince them, but we're not there yet. However, they do let me help register some accounts for them and even keep their credentials in Enpass for them, in case they forget. But for them they just enter passwords manually. Unnecessarily long passwords do not work. They just change them to something really ridiculous.

Finally, if I'm on someone else's laptop with them, and need to log into one of my accounts, I'm stuck too. I can look up the password on my phone, sure, but now I have to type it all out, looking back and forth the whole time, and losing my place, often meaning I have to do the whole thing all over again. Shorter passwords would be great.

So... it's a valid question. Can I work with Enpass Generator and all the automated filling and other features, or do I instead need to go to these other sites?

Thank you to anyone who responds this weekend, I would normally submit this question directly to Enpass support but they are closed and it would be ideal to get some input now. Thanks

 

[TN_Dude]

It sounds like you are seeking permission to use weak passwords.  I grant you permission.

The point of password managers is to use the most secure passwords possible.  I, for example, make mine 40 characters with all character types included in its construction.  I do that because I don't have to type them in.  That is the password manager's job.  For the few passwords I might have to type in (such as my Chromebook password), I use a passphrase with enough words for at least 30  characters, but that is easy to type and remember.

It sounds like your use case would be better served by Bitwarden or Proton Pass where there is access to your vault via their web page.  When on another person's computer, you'd simply have to log in (using the memorable passphrase I mentioned above), then you'd have access to your passwords that you could copy/paste.

I was a LastPass user when their vault was stolen.  That taught me a valuable lesson about secure passwords.  As such, I appreciate that Enpass is entirely self hosted.  I do use Proton Pass for non-financial passwords that can be shared and that wouldn't damage me if stolen/hacked (such as Facebook, forums, news sites, etc.).

[AnakinCaesar]

On 2/17/2024 at 5:35 AM, Mando said:

Finally, if I'm on someone else's laptop with them, and need to log into one of my accounts, I'm stuck too. I can look up the password on my phone, sure, but now I have to type it all out, looking back and forth the whole time, and losing my place, often meaning I have to do the whole thing all over again. Shorter passwords would be great.

Get yourself Enpass Portable.

1 hour ago, TN_Dude said:

It sounds like you are seeking permission to use weak passwords

Sounds like it. Not wanting to put in a longer PW is no excuse. Deal with your family so they accept this or tell them you won't bother anymore. 

 

PasswordMonster and NordPass both do not state how they calculate their strenght. BitWarden does, same technique as Enpass but with words Enpass uses another method aswell. This would all be visible to you, if you read the link in the referred discussion here. 

 

Quote

zxcvbn is for service providers when new users are signing up or current users are changing their passwords. It's a way for the service provider to set a minimum expectation on what they define a "secure password" to be.

zxcvbn is not for end users to test their password strength against. Instead, you should be using the password generator that ships with your password manager. Then strength testing tools like zxcvbn don't have any value.

 

[Mando]

On 4/5/2024 at 12:41 AM, TN_Dude said:

It sounds like you are seeking permission to use weak passwords.  I grant you permission.

The point of password managers is to use the most secure passwords possible.  I, for example, make mine 40 characters…

Thank you for the time and thought put into your response.

I wasn’t asking for anyone’s permission to use weak passwords. I was asking whether or not they WERE weak in the first place. These other sites say they are not. It sounds like you’re saying all these other sites are wrong

The point of password managers is NOT to use the most secure passwords possible. It is to use the most secure passwords *acceptable.* That’s why the Enpass Password generator has a rating system. It encourages the average user to use an *acceptable* level of password security. No typical user is going to use a 40-char password. In fact, the Enpass generator doesn’t recommend that. It would seem in your judgement that the generator would therefore be faulty. Also, if someone were to recommend an 80-char password, then your password would not be seen as strong “enough” and therefore unacceptable. 

Where does it end? What is “enough?”

Thats the point of my question. Somewhere along the spectrum lies a point between “enough” and “too much.” Where is that? How do we know? Is the Enpass Generator enough or too much? Suggesting ever longer and longer passwords is not the answer. That just becomes more and more of the “too much.” 40, 80, 600 characters. What is enough? 
 

Do I have the answer to this? No. Of course not. I’m just the one posing the question, hopefully ably enough to get the ball rolling. And you’ve helped keep the ball rolling, which I appreciate. I just feel like we’ve still missed something. 
 

Do we have reason to believe that all the other sites are wrong, and the Enpass generator is right, as far as “enough” and “acceptable“ are concerned? How do we judge? Maybe there’s a study that shows a test of the passwords generated by these sites, or something similar. I don’t know. It’s possible I’m not even asking the question correctly, in which case I apologize for wasting anyone’s time trying to figure it out. I’ve definitely waded out pretty deep on this one and I’m not even sure how well I can swim.

[TN_Dude]

I don't rely or even look at what Enpass or any other site tells me is "good enough".  With computers getting faster and clusters of computers getting cheaper, those suggestions have a relatively short expiration date.  Over time, what was once "good enough" no longer is.  I'm using a long password and letting Enpass keep track of it (meaning I don't care that it might be longer than necessary).  I'm going with passwords that should be good for the foreseeable future, if not my lifetime.

[Mando]

So, the question was whether or not we have some external authority we could trust to tell us what makes an acceptable password. Individuals will have they're own assessment and opinion on what makes sense for them, and that may be a many-character password. But the idea was that maybe we could trust these other password checker sites. There was some evidence that they were using a weaker strength-testing-tool like zxcvbn, which seemed a reasonable point to be made suggesting that the other sites could not be trusted. All well and good. It may be safe to say that we shouldn't use any of those sites (although of course they would protest).

But then I found the following chart, and ones similar to it. It shows a 12-character password taking 37,000 years to crack. If you change it at least once in the next five years you're probably going to be alright. Or, there will be all sorts of news stories about how computing power just jumped quadrillion in which case no password is going to matter. That kind of thing.

Credit goes to Komando, the authors of the following page, and to Hive Systems themselves, of course: 

https://www.komando.com/security/check-your-password-strength/783192/ 

 

Next, I found a cost calculator that showed it would cost millions of dollars to crack that 12-character password. That's part of the equation too. When would a hacker just give up and not care about your stuff anymore? I think "millions" meets that definition. And if you're thinking governments want access to your Netflix account, well... 

So I feel like that's a couple of empirical ways of looking at it. There doesn't seem to be any right answer out there, at least not above 12-characters. Smarter people than me argue for pages and pages on Reddit and none of them have reached a universal conclusion - although the frantic screeching sound heard when discussing 2-9 characters starts to drop precipitously once you reach 10, 11, and 12. People at least seem a lot less certain that 12 is bad, is what I mean.

There is also the concept that authentication processes will change/improve in the near future also - likely making our passwords defunct long before even their expected expiry date. We're already headed to passwordless, for example.

Finally, there's humility. Nobody cares about me so much as to spend $100k, never mind a million, to get at my account. They're going to give up rather quickly.

 

The following works, for me - use at your own discretion:

• upper lower numbers symbols, most likely in a memorable passphrase format (1boston~Beer)
• 12-character-minimum is "enough" for normal use - Netflix, LinkedIn, Facebook, email
• 14-character-minimum for financial accounts and all-encompassing services like Google/iCloud*
• 15-20+ characters just as a natural consequence of the passphrase growing to be that long (because it's so easy)(1boston~beer-keg.-yay!)

* only because of the priceless value (to me) of my documents and photos (e.g. in Google Drive), and also how it cascades to other services, like "Google Sign-in" used for other sites.

Bottom line: make sure you don't ever drop below 12, but then have a bias towards 15-20, however many characters your passphrase turns out to be/whatever's the length of the easiest passphrase

 

 

 

 

Edited May 4 by Mando

[Mando]

Regarding the topic as a whole:

In my mind, my last post does seem to indicate that the Enpass Password Generator is too conservative. That's based on my limited research. Anybody out there from Enpass? Is there an explanation of the methodology that would show that the Password Generator is "just right?" I'd be among the happiest to hear about it, as I'm about to create all my future passwords based off of my last post. lol

Edited May 4 by Mando