bbusschots / hsxkpasswd

A Perl module and terminal command for generating secure memorable passwords inspired by the fabulous XKCD web comic and Steve Gibson's Password Hay Stacks. This is the library that powers www.xkpasswd.net
http://www.bartb.ie/xkpasswd
BSD 2-Clause "Simplified" License
278 stars 48 forks source link

https://xkpasswd.net/ appears to be outdated? #39

Open joelishness opened 5 years ago

joelishness commented 5 years ago

Expected:

This option on the website: "case_transform": "ALTERNATE"

...should randomize first word and then alternate word case thereafter. According to this change: https://github.com/bbusschots/hsxkpasswd/releases/tag/v3.3.1 "The ALTERNATE case transform now randomises the case of the first word, and then alternates from there. This adds a little more entropy, and makes more sense than having it always be the same IMO."

Observed:

Instead, the first word is always lower case, second always UPPER case, third always lower case

Other observations:

  1. Website indicates it is powered by old version. Website: "This site is powered by the XKPasswd.pm Perl Module" Github indicates latest version should be Crypt-HSXKPasswd-v3.5 released ]on Aug 10, 2015 Crypt-HSXKPasswd-v3.6 released ]on Aug 11, 2015

  2. Issue #32 "Entropy calculation on website doesn't match tool" Probably resolved with 2015 BETA3 release: "There was a subtle error in how the entropy was calculated for the worst-case scenario (where attackers know both the configuration and word source used). Unfortunately the bug caused the module to overestimate the entropy. Because if this, some presets had to be altered after the bug was fixed to keep them below the entropy warning thresholds. This proved impossible for the WEB16 preset, so it has now issues a warning in the same way the NTLM preset does."