Jump to content
zedisdad

Broken password generator

Recommended Posts

Your 'new' password generator may potentially have a bug.  If you select Pronounceable passwords, and Include Digits, then it only adds ONE digit at the end of the string of characters.   In previous versions, the generator would add a number at beginning/end of every 'word' element, thus making the same length password much stronger. Right now, all your 3 word pronounceable passwords come up as 'weak,' which is ridiculous.  I don't get 'good' pronounceable passwords until I hit 6 words, ~40 characters, which most websites that I use won't accept.  Please fix this asap, this is a serious flaw, unless i completely misunderstand this new 'feature.'

Thanks,

Z

OS: Mac 10.13 High Sierra
Enpass: v6.0.0 

Share this post


Link to post
Share on other sites

Hi there,

 

I'm also concern about the new password generator... I've been using enpass for a long time now and really never had the need to come to this forum before, until now. Why is that all passwords I've generated so far were categorized as strong by enpass and now are marked to be only weak or good at better... Can you please give an explanation to that?

 

Br,

Alfredo

 

Share this post


Link to post
Share on other sites

Alfredo, this is not the issue I am talking about here but, to answer your question, Enpass say they are using a new password strength estimator (called zxcvbn).  When looking into it, it appears that zxcvbn is a rapid/low-resource password strength estimation algorithm.  Some comparisons have been made between zxcvbn and other strength estimation methods, and the result really depends on what you use as the metric.  I think zxcvbn really hates pronounceable passwords (because it searches for patterns in the password).  I personally am starting to ignore the strength estimation I am seeing with Enpass 6.0.  

Still, the main problem is not strength estimation for me, it's generating weak passwords by only adding ONE digit to the end of the entire password.  This is a bug, it was not like this in previous versions.

 

Z

Share this post


Link to post
Share on other sites

Hi all,

The digit and uppercase options are purely for satisfaction of some websites password policies. Adding uppercase and digits at random places in a pronounceable/diceware password does not contribute to entropy significantly, but adding a additional word will. Moreover, such a password is not pronounceable/memorable at all. First capital letter can be remembered easily and trailing digit can be memorized as an additional word. 

Also, Password Strength calculator ranges have been changed. Please read this page how it works.

Hope this clears the doubt.

Share this post


Link to post
Share on other sites

@Vinod Kumar: while it is correct that moving the uppercase letter or number won't contribute to entropy mathematically, it should be noted that having them at fixed positions reduces the number of possibilities as it is known that first letter is upper- or lower case and there might be a number attached to the passphrase (or not).

I liked the old version of the password generation and I think it was a really good way to have both: complex passwords and somehow to memorize. 

Isn't there a way to have the old function back have a "semi-pronounceable" password using the previous password generator?

Share this post


Link to post
Share on other sites

@Vinod Kumar,

While I am not a password generation expert, I will be surprised if i am wrong about this one, as as I am a data compression guy and I know my entropies.  Telling me that a 3 word long password has always a digit at the end (e.g., cheetah-ford-plane2) has a smaller entropy than a password where the digits may be (or may not be) placed at beginning/end of every word (cheetah4-3ford-plane2).  Just check the strength of both passwords above using any software (except your own) and you will see the difference in strength.

Now the issue it seems is the way your dropbox password generator is computing strengths.  It is not really computing entropy at all, but rather an estimate based on recognizable patterns.  

Bottom line is: I really do not like that your password generator always tells me that my 20-character pronounceable passwords are weak.  Many websites constrain length to 20.    I see 3 fixes: 1) manually add numbers at beginning/end of every word (I don't know why Enpass doesn't do this anyway already, what's the downside?), 2) ignore your strength estimator, which will ultimately lead to 3) use another software than Enpass.

Z

 

Share this post


Link to post
Share on other sites

Hi Vinod,

 

Thanks for replying, unfortunately for me, the page you redirect me to, have worsened things for me.

I have come to the conclusion that if I only chose four words in Spanish or five to six words in English, not having them to be random

at all (actually they can form an actual sentence, that is easier to remember) and test it against your password checker then it says

these passwords are strong enough. Find below some examples that much the new level of security... see my point? Do you really think

those passwords are good enough?

 

English:

what about you and me frea

Is there any strongest p?

Are you kidding me at all

This is easy to rembember

 

Spanish:

tanto monta monta tanto

a quien le importa  (with a final space)

No puede ser que sea

 

Thanks in advance,

Alfredo.

 

 

Share this post


Link to post
Share on other sites

Hi @sunsudio,

15 minutes ago, sunsudio said:

what about you and me frea 

The idea behind diceware/pronounceable is randomness of order of words. Out of 14400 words, every word is selected at random. What about "and frea about you what me". This looks better, right? By using Enpass password generator, getting this kind of word sequence is highly unlikely. Please see more detailed explanation about Diceware here.

http://world.std.com/~reinhold/diceware.html

 

@zedisdad When you are using a diceware/pronounceable password, its entropy is calculated by two means.

1. Diceware: Calculated based on number of words. Any addition of symbols, digits, uppercase are ignored.

2. Zxcvbn: Calculated based on Zxcvbn algorithm. 

Enpass show strength based on whichever of two is lower. So if, diceware entropy of "cheetah4-3ford-plane2" says weak and zxcvbn says average and it will be considered as weak. You can't know in advance what methodology an attacker will apply. Additionally, Zxcvbn considers all known type of methodologies an attacker will apply to reduce number of guesses for your password.

If a website forces shorter length passwords, you must use random passwords not pronounceable. As I told already adding digits at random places is little gain as compare to an additional word.

Thanks.

 

 

Share this post


Link to post
Share on other sites

Hi there,
 

Thanks Vinod, I have carefully read diceware.html twice. I only have one last question: do you think "are you sure this is a good password or not" is a good password or passphrase? because I can do a lot of them and Enpass is always telling me that they're the strongest. My concern is that until now I relied on Enpass to test my passwords against it and it always told me that my passwords were strong enough and now the better is only "good" while the rest are weak. 

 

Best Regards,

Alfredo.

 

Share this post


Link to post
Share on other sites
13 hours ago, Vinod Kumar said:

When you are using a diceware/pronounceable password, its entropy is calculated by two means.

1. Diceware: Calculated based on number of words. Any addition of symbols, digits, uppercase are ignored.

This entropy measure assumes that attacker knows I'm using a diceware password (which now thanks to this forum everyone knows that I do).  But if you didn't know that i use diceware, throwing random numbers at random locations significantly improves the entropy.  Do the math.  

Finally, it is pretty silly to have a feature that says "digits" in a password generation tool which only inserts one digit at the end of the password. Why include that feature to begin with?  It does not hurt to include more random digits (we agree about that), and your only argument is that adding more digits does not improve entropy "too much" (we disagree about that).  Unless you can quantify the cost vs benefit in adding digits at random locations in a pronounceable password, then at this point I see Enpass as being nothing but mule stubborn about this.  

So either remove this half-arsed feature, or add it properly.

Z

Edited by zedisdad
  • Like 1

Share this post


Link to post
Share on other sites

I've noticed in v6 that generating prounceable passwords with Uppercase and digits always results in the first character of the whole password being upper case and the last character being a number.

Whereas, in v5 the digits are added to the ends of each of the words and the Uppercase characters are randomly on the first or last character of any the words.

The v5 behaviour is better IMO.

Example:

Correct-horse-battery-staple9 <- v6

correct0-horse4-2Battery-Staple <-v5

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×