#2304 Password Generator: Min/Max Occurence

[gkt]

Some sites require of passwords:
Min, Max sting length
Min, Max number of Capital letters
Min, Max number of numerical characters
Min, Max number of special characters
Specific special characters

Perhaps missing options can be added in the Generator.

Thanks

[Paul]

Use patterns in the password generator - you can save them as profiles.
Min, Max number of Capital letters: U{4}S{10}
Min, Max number of numerical characters: d{4}S{10}
Min, Max number of special characters: s{4}S{10}
Specific special characters: .@{|~!S{10}
Turn on "Randomly permute..."

cheers, Paul

[T. Bug Reporter]

The object is to generate a random password from all the passwords that a site allows - while not imposing other limits. For example, your permuted .@{|~!S{10} will generate a sixteen character password where six specific characters are guaranteed to be included somewhere, but most sites aren't that specific; rather, it's more likely for a site to say a password must include some characters from a predefined set, while not specifying that they all need to be included. While I'm sure that some annoying site does have such ridiculous rules, imposing rules like these on passwords for sites that don't require them is just as silly as all the rules the various sites themselves impose.

Another example: It's rare that any site asks for a specific length of password, but KeePass only generates passwords of a specific length. Now, granted, this would likely only increase potential crack time from 200 million years to 205 million, but a random length would also be a nice feature to have.

---

Also, for reference, let it be known that Feature Requests #2127 and #2169 are similar to this one.

[Paul]

2 from a group of specific special characters: .[@{|~!]{2}S{10}

cheers, Paul

[gkt]

In my opinion, the generator must include these choices in the form of TICK BOXES for the average user and most sites:
1. Password Length: Min,Max: Setting these 2, will generate a RANDOM length between the specified values, any length if max is blank, up to max if Min is blank, system defined length if both Min and Max are blank, fixed length if min=max.
2. Capital Letters: All, Specific set input box, Min and Max
3. Small letters: All, Specific set input box, Min and Max
4. Numbers: All, Specific set input box, Min and Max
5. Special characters: All, Specific set input box, Min and Max
Improper values should be dimmed out. For example, length min=max=5, Caps min=3, Nums min=3

This will cover ALMOST every aspect and leave to place holders RIDICULOUS rules such as:
Length between 7 and 14 where the first four must be numbers etc....

[wellread1]

Too many options is a problem in and of itself. All that is needed is one or a few thoughtfully choosen general purpose password profiles and a willingness to make small tweaks manually to the generated password if they are needed to conform to arbitrary rules. A good starting point for thinking about the important characteristics of a strong password is the Wikipedia password strength page

At any rate since NIST has recently released a password guidance that rescinds most of the stupid password rules, I expect over time the worst of the rules will fall out of favor. It may take a lot of time but now is not the time to encourage them.

A password generator profile for varialbe length passwords (min-max) is a bad idea¹. Any password less than an acceptable length is unacceptably weak and anything more than the acceptable length is unnecessary and may cause its own problems.

¹Hint: It is a less bad idea for passwords based on tiny character sets, e.g. base2.

[Sworddragon]

At least the opportunity to guarantee at least 1 character from every chosen characterset probably even increases the security. It will decrease the maximum security since the password was generated in a predictable manner but it will increase the minimum security with having a guaranteed wider characterset and e.g. avoid accidental weak passwords that might be more vulnerable to a bruteforce attack (e.g. opting into letters, numbers and special characters but the result has only letters).

In my opinion, the generator must include these choices in the form of TICK BOXES for the average user and most sites:

-

Too many options is a problem in and of itself. All that is needed is one or a few thoughtfully choosen general purpose password profiles and a willingness to make small tweaks manually to the generated password if they are needed to conform to arbitrary rules.

2 fair points and such an option could be included in the "Advanced" tab for the password generator. For example it could be named "Each characterset must occur at least once" and probably doesn't even need the asterisk.

However, there would be a slight issue: Charactersets with too few characters for example having only 1 that -, _ and space currently have would too negatively impact the security. Either https://sourceforge.net/p/keepass/feature-requests/2664/ can sort this out or alternatively weak charactersets should be ignored by such an option.

[Paul]

Security is not affected once brute force is the only available method.
https://sourceforge.net/p/keepass/feature-requests/2663/#01d1

cheers, Paul

[Sworddragon]

But one issue I currently see is that sub-charactersets with only a few characters (Space, - and _) can be an issue due to too easy predictability

Predictability of characters makes absolutely no difference to security if the password is is not guessable using standard dictionary attacks. If you have to brute force the password then all characters are equally secure.

I think you are incorrect here at the bruteforce part as algorithms can be optimized to bruteforce more likely passwords. To reflect this with an example for the part above: Let's assume we get now the option "Each characterset must occur at least once" and it would draw from every characterset the user has opted in it would then guarantee to have a -, _ and space somewhere if the user opted into every possible characterset which is pretty bad. The bruteforce algorithm has to at least partly correctly guess the metrics used or alternatively priorize but this might outweight the very drastically reduced numbers of possibilities the password can now have compared to one where this predictability would not be that of an issue.

[Sworddragon]

I just got an alternative idea how to avoid the issue with the too easily predictability due to drawing from too small charactersets: Instead of naming such an option "Each characterset must occur at least once" it could be named "Each of a chosen number, lowercase letter, uppercase letter and one other character must occur at least once" - as it would then merge all special characters for this purpose (Minus, Underline, Space, Special, Brackets, Latin-1 Supplement, eventual extra included characters) that the user has opted in into a single category.

Edit: I see now this could also be an issue if the user chooses for other characters for example only Minus or uses too few custom characters. This issue seems to be quite tricky to be solved in a good way.

[Paul]

algorithms can be optimized to bruteforce more likely passwords

That is password guessing based on known possibilities.
Bruteforce is testing every possible character / combination.

cheers, Paul