Jump to content
Enpass Discussion Forum

Password meter difference from Version 5


Recommended Posts

This has been debated over and over online: length/entropy versus complexity. A cartoon spoke of linked random words such as “correct battery horse staple” as taking 500 years to crack simply because of its length. An article in ars technica spoke simply of good password hygeine consisting of a combination of lowercase letters plus at least one uppercase, one number, and one symbol—all with a minimum length of 15 characters.

An article I have seen, describes this as good enough for many large firms and government agencies. This second, I have followed with a secure password generator at xkpasswd.net.

Enpass V5 shows my passwords as Strong. V6 shows most of them as “Very weak”. Obviously, the V6 password meter has changed. To acquire satisfaction with the V6 meter I would have to go through a week-long spate of password changes (as I did with V5). Is there a way I may change the “theory” or pattern the password meter uses to judge the strength of passwords in V6?

Link to comment
Share on other sites

Hi @albopf,

Thanks for writing in.

Today hackers have more resources than ever for password cracking at their disposal and we don't know which website uses which password hashing algorithm at their backend. We have to assume worst case scenario. Hence in Enpass 6, we have revised the range for password strength which categorizes the passwords as following based on the entropy

  • Poor : Entropy <=40
  • Weak: Entropy <=60
  • Average: Entropy <=80
  • Good: Entropy <= 128
  • Excellent: Entropy > 128

  Hope this answer your query.

Link to comment
Share on other sites

Thank you for your kind and patient response (both here and via email).

I noted that the “length” attribute was not always applied in V6 when the password was sufficiently—as you might call it—complex. Perhaps my shoddy memory is in error. Entirely likely. I often have senior moments.

Therefore, I deduce our theories of what constitutes a strong password differs. For enpass you have chosen a different character set. Mine, as you know, includes shorter alpha sequences (interpretable by a few cultural groups), unpredictably capitalized and oddly separated/punctated so as to comply, in many cases, with corporate rules. As it were.

When V6 becomes the “norm”, we shall simply ignore the password meter in enpass. We have password testers elsewhere.

Thanks again.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...