Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.8k stars 276 forks source link

Password entropy score doesn't match with other generators #1460

Open serrq opened 1 year ago

serrq commented 1 year ago

https://gitlab.com/vecturagames/passwordgenerator

https://www.f-droid.org/packages/com.vecturagames.android.app.passwordgenerator/

It is not a bug: I just asking clarification.

I installed this app (password generator) on my device and I set these rules on both apps:

A-Z yes a-z yes 0-9 yes Special charactes included :+;!?= Max length 68 characters

I generated this exact password:

frsRFQ7N+U1dpVWzm2xa;gwATE?H4OkLIC8b9ju3ncyGYB!tS=oDhi0K5Ze6:MqlXPvJ

Entropy Score:

Password Gen (F-droid) 475

KeePassDX 307,91

Why this difference?

Is it possible to make the two developers converse in order to find a common entropy calculation model?

nvllz commented 1 year ago

I noticed this a while ago. KeePassDX's entropy score is always lower compared to KeePassXC's score for the same password. For the generated string, KeePassXC shows me 391.14 bits of entropy.

J-Jamet commented 1 year ago

Duplicate https://github.com/Kunzisoft/KeePassDX/issues/1373

serrq commented 1 year ago

According with this University password strength score for the string above is 516.

https://www.uic.edu/apps/strong-password/

J-Jamet commented 1 year ago

By definition, entropy is the measure of a state of disorder. So it is not standardized to calculate this disorder, the important thing is the consistency of the measurements between each result in order to demonstrate that one result is better or worse than another. In the case of a password, the important thing is to keep in mind that: the more complex it is, the less chance a brute force attack will be able to break the code. As the techniques and the power of the machines evolve all the time, it would be necessary to index the measure of the entropy on a study which calculates the probability to break a password with the most powerful machines used. But in practice, an estimate is sufficient.