search

StellarSand / IYPS

A password strength app that evaluates and rates your password's robustness, estimates crack time, and provides helpful warnings and suggestions for stronger passwords.
GNU General Public License v3.0
133 stars 9 forks source link

Entropy calculations wrong? #23

Closed mvevitsis closed 1 week ago

mvevitsis commented 2 weeks ago

Description

I get wildly different results in this app compared to pazzword (also on fdroid) which uses zxcvbn.

This app is reporting a 16 character randomly generated password (letters, numbers, symbols) as having only 56.47 bits of entropy which seems incredibly low to me. Pazzword reports 72.45 on the same password. Which frankly also seems wrong.

If I'm not mistaken the correct formula is E = L × log2(R) A 16 character password using lower case, upper case, digits, and ASCII symbols should have a range of 94, so: E = 16 x log2(94) E = 16 x 6.55 E = 104.8

Steps to reproduce the behaviour

  1. Enter password in both apps
  2. Check entropy
StellarSand commented 2 weeks ago

Let's consider a password Password@1234567. It is a 16 character password using upper case, lower case, digits, and special character. And yet for such a simple password if we calculate the entropy using the formula E = L × log2(R) it gives 104.87. Now let's consider another password #P7^FVbz%B3ecctS. It is also a 16 character password using upper case, lower case, digits, and special character. And it will also give you the same entropy.

Using IYPS, Password@1234567 gives entropy as 25.43 and #P7^FVbz%B3ecctS gives entropy as 56.47. Using Pazzword, Password@1234567 gives entropy as 8.49 and #P7^FVbz%B3ecctS gives entropy as 73.48. Hence both apps provide much better results than using the original formula. The differences are due to different libraries being used & nbvcxz doing some stuff differently.

Entropy is only one measure of strength and hence you should also consider other factors like time to crack, number of guesses, avoiding dictionary words/personal info etc.

BTW please don't expect same results between IYPS & any other app. IYPS uses multiple additional password dictionaries alongside some of the default ones from zxcvbn4j.

Default used:

Additional: