search

pwsafe / pwsafe

Password Safe - popular secure and convenient password manager
https://pwsafe.org
Other
699 stars 146 forks source link

[wx] Using strong passwords with a Yubikey #1300

Closed nobugshere closed 1 day ago

nobugshere commented 3 weeks ago

Related to the discussion in #1299

@ronys, If one does enter a PW with a Yubikey, do you think it should go through the same strength test(s), as for a PW only entry, and the user alerted if it doesn't pass? (Currently, that is not the case.) I think the main reason for using a PW with a Yubikey is in case someone steals your key. So, if you set one, it should be a good one. But, it is optional anyway, so I keep going back and forth on this :-)

This is in reference to the WX version; I haven't check the behavior of the Windows version.

ronys commented 3 weeks ago

The user should be able to choose whether to rely only on Yubikey, with no password, or whether to use 2 factor authentication, both a yubikey and a password. Even in the former case, the attacker needs both the key and the database.

nobugshere commented 3 weeks ago

I agree with all of that. My only question was: If the user enters a password, should we perform the strength check and warn if it is considered weak? The user could still choose to use it anyway.

ronys commented 3 weeks ago

I'm OK with that. Note that changing the strength check to something less trivial (e.g., zxcvbn) is on my todo list...