Open OLLI-S opened 4 years ago
Not a bad idea
Could be implemented by a combination of normalization (convert to lower case, remove underscores, etc.), Levenshtein distance, and phonetic comparison.
I'm no longer sure if this is a good idea. Of course, having passwords like olli1
/olli2
/olli3
is bad, but no worse than olli1
/stan2
/buster3
, despite the fact that these aren't similar. On the other hand, passwords like ~A:%58M4=r8mFWd0u1}V1
/~A:%58M4=r8mFWd0u1}V2
/~A:%58M4=r8mFWd0u1}V3
are secure despite the similarity. In other words, if we reported similar passwords, what would it buy us?
I would say less than "Good" passwords that are similar. It's an indicator of manually made passwords with slight variations.
Could be implemented by a combination of normalization (convert to lower case, remove underscores, etc.), Levenshtein distance, and phonetic comparison.
Levenshtein's distance would be perfect for this. I've used it in one of my projects in the past. It produces nice results.
Summary
Report also passwords that are similar to other passwords
Details
I created a new database and added some entries with similar passwords:
In the Health Report these entries are only reported as "Very weak passwords". They are not reported as "Reused passwords".
I know that passwords must be completely identical (including the case) to be "Reused passwords". So I suggest here a check or "Similar Passwords".
For the check you should convert all passwords to lower case. If passwords are completely identical (like "OLLI" and "olli") they get the same score than reused passwords (because they are identical except of the case).
If they are not completely identical you check how many characters are different. The more characters are different the higher the score is. If the passwords differ just in 1 character (like "olli1" and "olli_1" and "olli2") they get a higher negative score than passwords that differ in 2 or more characters.
You should have a limit where you stop checking for similarity (like 5 characters, 7 characters or 10 characters). This makes sure that passwords that are random generated but differ only in 2 or 3 characters are reported.
With this feature passwords like shown above are all reported as similar.
Debug Info
KeePassXC - Version 2.5.3-snapshot Build Type: Snapshot Revision: c427000
Qt 5.12.0 Debugging mode is disabled.
Operating system: Windows 10 (10.0) CPU architecture: x86_64 Kernel: winnt 10.0.18363
Enabled extensions:
Cryptographic libraries: libgcrypt 1.8.4