search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.9k stars 1.44k forks source link

Health Check - Report Similar passwords #4276

Open OLLI-S opened 4 years ago

OLLI-S commented 4 years ago

Summary

Report also passwords that are similar to other passwords

Details

I created a new database and added some entries with similar passwords:

image

In the Health Report these entries are only reported as "Very weak passwords". They are not reported as "Reused passwords".

image

I know that passwords must be completely identical (including the case) to be "Reused passwords". So I suggest here a check or "Similar Passwords".

For the check you should convert all passwords to lower case. If passwords are completely identical (like "OLLI" and "olli") they get the same score than reused passwords (because they are identical except of the case).

If they are not completely identical you check how many characters are different. The more characters are different the higher the score is. If the passwords differ just in 1 character (like "olli1" and "olli_1" and "olli2") they get a higher negative score than passwords that differ in 2 or more characters.

You should have a limit where you stop checking for similarity (like 5 characters, 7 characters or 10 characters). This makes sure that passwords that are random generated but differ only in 2 or 3 characters are reported.

With this feature passwords like shown above are all reported as similar.

Debug Info

KeePassXC - Version 2.5.3-snapshot Build Type: Snapshot Revision: c427000

Qt 5.12.0 Debugging mode is disabled.

Operating system: Windows 10 (10.0) CPU architecture: x86_64 Kernel: winnt 10.0.18363

Enabled extensions:

Cryptographic libraries: libgcrypt 1.8.4

droidmonkey commented 4 years ago

Not a bad idea

wolframroesler commented 4 years ago

Could be implemented by a combination of normalization (convert to lower case, remove underscores, etc.), Levenshtein distance, and phonetic comparison.

wolframroesler commented 3 years ago

I'm no longer sure if this is a good idea. Of course, having passwords like olli1/olli2/olli3 is bad, but no worse than olli1/stan2/buster3, despite the fact that these aren't similar. On the other hand, passwords like ~A:%58M4=r8mFWd0u1}V1/~A:%58M4=r8mFWd0u1}V2/~A:%58M4=r8mFWd0u1}V3 are secure despite the similarity. In other words, if we reported similar passwords, what would it buy us?

droidmonkey commented 3 years ago

I would say less than "Good" passwords that are similar. It's an indicator of manually made passwords with slight variations.

Rex-0x7CB commented 3 years ago

Could be implemented by a combination of normalization (convert to lower case, remove underscores, etc.), Levenshtein distance, and phonetic comparison.

Levenshtein's distance would be perfect for this. I've used it in one of my projects in the past. It produces nice results.