Jump to content
Sign in to follow this  
albopf

Password meter difference from Version 5

Recommended Posts

This has been debated over and over online: length/entropy versus complexity. A cartoon spoke of linked random words such as “correct battery horse staple” as taking 500 years to crack simply because of its length. An article in ars technica spoke simply of good password hygeine consisting of a combination of lowercase letters plus at least one uppercase, one number, and one symbol—all with a minimum length of 15 characters.

An article I have seen, describes this as good enough for many large firms and government agencies. This second, I have followed with a secure password generator at xkpasswd.net.

Enpass V5 shows my passwords as Strong. V6 shows most of them as “Very weak”. Obviously, the V6 password meter has changed. To acquire satisfaction with the V6 meter I would have to go through a week-long spate of password changes (as I did with V5). Is there a way I may change the “theory” or pattern the password meter uses to judge the strength of passwords in V6?

Share this post


Link to post
Share on other sites

Hi @albopf,

Thanks for writing in.

Today hackers have more resources than ever for password cracking at their disposal and we don't know which website uses which password hashing algorithm at their backend. We have to assume worst case scenario. Hence in Enpass 6, we have revised the range for password strength which categorizes the passwords as following based on the entropy

  • Poor : Entropy <=40
  • Weak: Entropy <=60
  • Average: Entropy <=80
  • Good: Entropy <= 128
  • Excellent: Entropy > 128

  Hope this answer your query.

Share this post


Link to post
Share on other sites

Thank you for your kind and patient response (both here and via email).

I noted that the “length” attribute was not always applied in V6 when the password was sufficiently—as you might call it—complex. Perhaps my shoddy memory is in error. Entirely likely. I often have senior moments.

Therefore, I deduce our theories of what constitutes a strong password differs. For enpass you have chosen a different character set. Mine, as you know, includes shorter alpha sequences (interpretable by a few cultural groups), unpredictably capitalized and oddly separated/punctated so as to comply, in many cases, with corporate rules. As it were.

When V6 becomes the “norm”, we shall simply ignore the password meter in enpass. We have password testers elsewhere.

Thanks again.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...