search

bbusschots / hsxkpasswd

A Perl module and terminal command for generating secure memorable passwords inspired by the fabulous XKCD web comic and Steve Gibson's Password Hay Stacks. This is the library that powers www.xkpasswd.net
http://www.bartb.ie/xkpasswd
BSD 2-Clause "Simplified" License
278 stars 48 forks source link

Entropy calculation on website doesn't match tool #32

Open dgrant opened 7 years ago

dgrant commented 7 years ago

The following config says 61 bits with full-knowledge on https://xkpasswd.net/ but when I run locally I get WARNING - Crypt::HSXKPasswd::_update_entropystats_cache(): for attacks assuming full knowledge, the combination of the loaded config and dictionary produces an entropy of 33bits, below the minimum recommended 52bits at /usr/local/bin/hsxkpasswd line 448

{
"num_words": 3,
"word_length_min": 4,
"word_length_max": 8,
"case_transform": "RANDOM",
"separator_character": "-",
"padding_digits_before": 0,
"padding_digits_after": 0,
"padding_type": "NONE"
}
frei0 commented 7 years ago

Seems to be if you choose case_transform: RANDOM, you get double the entropy, when you should really only get num_words more bits of entropy. XKCD config should be 44 bits, not 80 bits.