stef
commented
1 year ago sounds reasonable to reuse the xor mask for this indeed
Open dnet opened 1 year ago
stef
commented
1 year ago sounds reasonable to reuse the xor mask for this indeed
Even if the user selects a certain subset of characters (such as uppercase letters), there's no guarantee that the password will actually contain at least n (usually 1) element from that subset. While not a security problem in itself, this presents a problem with obsolete/overeager password strength enforcement algorithms that expect to have n (usually 1, sometimes 2, etc.) character from each of their defined subset present within the password.
Although in some cases the "generate a new password" feature can be used with some luck to overcome this, it's poor UX and not guaranteed to work. Since RWD is already XORed with a (currently random, c.f. #11) string of bits, these could be altered upon user request to ensure the password contains one instance of each of the selected subsets. KeePassXC for example implements such a control with a checkbox "Pick characters from every group".