Menu

#2663 Option for password generator to guarantee each sub-chacterset to occur at least once

KeePass_2.x
closed
nobody
None
5
2021-09-20
2021-09-19
Sworddragon
No

For like over a decade - probably at the very beginning when I used KeePass I always thought there was an option in the password generator that ensures each sub-characterset chosen will occur at least once. I also assumed this option was always the one in the current password generator under the "Advanced" tab that is described as "Each character must occur at most once" - but when I did make a closer look today obviously I did misunderstand this option as it just prevents duplicate characters (which makes me slightly curious if enabling it increases the chance on average that more different sub-charactersets are included).

But to come back to the initial option: Guaranteeing each sub-characterset to occur at least once makes the password slightly more predictable (decreasing the maximum security) but also makes it harder to bruteforce since it can't be generated by accident with like only numbers and letters when also other sub-charactersets are choosen (increasing the minimum security). On average such an option would probably increase the security for passwords that rely on multiple sub-charactersets so it could be worth implementing it.

But one issue I currently see is that sub-charactersets with only a few characters (Space, - and _) can be an issue due to too easy predictability. I don't know why those 3 characters have their on categories as the only thing I see with them and the reason I dislike those characters is that dependent on the font or handwriting (for users that export generated passwords to paper) repeated uses of those characters make it not always possible to tell the exact passphrase, e.g. "abc def___________ghi-----"[1] makes it not easy to tell how much of each character they have. But this issue also applies to =, eventually . and : and maybe some others. I was thinking in general if it could make sense to simply merge those characters into their own category - which would additionally support the initial requested option in this ticket better.

[1] I also added some continuous spaces into the passphrase but the formation here seems to not display them and I can't figure out how to prevent this. But I guess the main issue is already clear with the other characters.

Discussion

  • Dominik Reichl

    Dominik Reichl - 2021-09-19
    • status: open --> closed
     

  • wellread1

    wellread1 - 2021-09-19

    To guarantee at least one character from each character sub-set is included in a password use Generate pattern option in the password generator. See https://keepass.info/help/base/pwgenerator.html for more information.

    For example to generate a 16 character case sensitive alphanumeric password with one special character, and that is guaranteed to contain at least one uppercase letter, one lowercase letter, one digit, all at the end of the password use A{12}ulds.

    Check the Randomly permute characters of password option to distribute the the 4 special cases throughout the generated password

    Example generated passwords:
    Without random character permutation: gRPQxMn9SS2zUk6=
    With random character permutation: XcoSnSEP&A4htig5

     

    Last edit: wellread1 2021-09-19

  • Rookiestyle

    Rookiestyle - 2021-09-19

    Quite some time ago, I faced this issue as well and telling site owners that their rules are not considered to add much to security obviously doesn't help.

    I therefore added a custom password algorithm to PasswordChangeAssistant.
    It merely does what wellread1 mentioned, just a bit more convenient

    https://github.com/Rookiestyle/PasswordChangeAssistant#password-profile-at-least-1-per-set

     

    Last edit: Rookiestyle 2021-09-19

  • Sworddragon

    Sworddragon - 2021-09-19

    Thanks for all the information. https://sourceforge.net/p/keepass/feature-requests/2409/ seems to pretty much request the same as https://sourceforge.net/p/keepass/feature-requests/2304/ so I will continue participating in the latter. And I think for the remaining issue instead of mentioning it just as eventual dependency I just handle the problem independently from the initial issue since I think I have a more clear idea for it.

     

    Last edit: Sworddragon 2021-09-19

  • Paul

    Paul - 2021-09-20

    But one issue I currently see is that sub-charactersets with only a few characters (Space, - and _) can be an issue due to too easy predictability

    Predictability of characters makes absolutely no difference to security if the password is is not guessable using standard dictionary attacks. If you have to brute force the password then all characters are equally secure.

    cheers, Paul

     

Log in to post a comment.

MongoDB Logo MongoDB