palant
commented
6 years ago This password entropy meter is using zxcvbn library which is exactly what Easy Passwords is using as well. Easy Password is merely presenting the results differently, in a way that is easier to interpret than a number of bits. Also, Easy Passwords has other expectations: any password getting zxcvbn score 3 (corresponds to around 26 bits) or higher is considered good enough, even though score 4 (corresponds to around 33 bits) is clearly preferable. In general, expecting humans to remember passwords with more than 40 bits of entropy is unrealistic, and we should improve the hashing function instead. The "safe" 70 bits are only relevant with a horribly crappy hashing function (cracking within a year requires testing 38,000 billion guesses per second).
Any objections against resolving this as "worksforme"?
ghost
Recently similar solution was posted on reddit [1] and many people were concerned about master password security [2]. There is a question about how strong master password have to be and how users will know if it's secure enough.
I wonder if easypasswords can implement something like password entropy meter [3]. Alternatively it can document password security guidelines or link to something already available.
[1] https://medium.com/@cretezy/masterpassx-a-better-stateless-password-generator-a06b93b9aa8c [2] https://www.reddit.com/r/netsec/comments/7mymqw/masterpassx_a_better_stateless_password_generator/drxp1dd/ [3] https://ae7.st/g/test.html https://apps.cygnius.net/passtest/ https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ https://github.com/dropbox/zxcvbn
BTW: author of a mentioned solution answered to your previous concerns https://www.reddit.com/r/programming/comments/7myfjg/masterpassx_a_better_stateless_password_generator/drya603/