Is the KeePass built-in "Quality" (by bits) meter a reliable tool regarding how passwords are cracked?

kippr
2014-06-06
2014-11-07
  • wellread1
    wellread1
    2014-06-06

    The KeePass estimator has been carefully optimized and examples of how its estimates compare to other estimators is found at http://keepass.info/help/kb/pw_quality_est.html.

    Password Strength is the ability of a Password to resist being guessed by an attacker whose guessing strategy takes advantage of a thorough understanding of human preferences when selecting and creating passwords. (my definition)

    Password strength estimating is a game of second guessing, where an estimator algorithm attempts to spot weaknesses that humans introduce into their passwords. The estimator algorithm has the advantage of knowing the actual password, but the estimator must be quick (limited), and it can not predict the specific guessing strategy of a particular attacker. Password estimators (including KeePass) frequently describe Quality in terms of Entropy using units of bits. In doing so they are trying to relate their estimates of password strength, to the strength of similar randomly generated passwords. Since humans construct passwords with different objectives than random generators, there is considerable uncertainty in estimates.

     
    Last edit: wellread1 2014-06-06
  • Ilia Barski
    Ilia Barski
    2014-11-03

    The KeePass ( v. 1.28 ) password quality estimator still makes an error if the password field contains a reference to another entry/field like for example "{REF:P@T:some another entry}". In this case the estimator shows the strength as 106 bits( 28 ch. ) although the password field of the entry "some another entry" contains a password with two letters only.
    So the strength is calculated not for a password itself but for the text in the password field.
    In this case the estimator ensures the user incorrectly about the very secure password and therefore hurts the information security. The keepass authors were informed since years about this issue via error tracker, but are having ignored it.

     
  • Paul
    Paul
    2014-11-03

    Do you have a link to the report?

    cheers, Paul

     
  • Horst
    Horst
    2014-11-03

    For me this is no error at all.
    The only useful Ref in a password field is to another entries password field.
    In this case you have the password quality already displayed for the REFed entry.

     
  • For me this is no error at all.

    For me it is; users should not need to have intimate knowledge of a program's implementation details in order to properly interpret the program's output. This difference between the actual calculation and the common-sense expectations of the uneducated user is IMO enough of a reason to change this.