Package: keepassx
Version: 0.4.3-1
Severity: important
Dear Maintainer,
The pronounceable password generator lets the user select which types of
characters should be included in the password. However these indications are
rarely taken into account. For all the tests below the 'Ensure that password
contains characters from every group' checkbox of the 'Random' password
generator tab was checked although it should not have any impact on the
pronounceable password generator. Still I noticed the following problems:
* The most important issue is that, for a length of 25 characters, the
generator announces a quality of 118 bits for 'Lower Letters' only passwords,
and 129 bits if 'Numbers' are added. However in this configuration only one in
ten generated passwords actually have any digit in them. This means 90% of the
generated passwords are weaker than announced. Yet the generator could easily
work some digits in by performing some l33t substitutions.
Maybe the right fix is to add the 'Ensure that password contains characters
from every group' checkbox to the pronounceable password generator.
* If one selects only 'Numbers' the quality drops to 83 bits which makes
sense. But the generated passwords still contain lower case characters as
proven by these passwords:
hokophelocyolurkeatneybof
kedwyibowjackipjodvatniek
In fact they may not contain digits at all! (but at least the quality is
still more than 83 bits)
* Similarly, if one only selects 'Upper Letters' the generated passwords still
contain lower case letters, as in this password: AmicWoybogUnyudsyeejyedsa
* Again the same thing happens if one selects only 'Special Characters' as
shown here: viaryakodd]quifimnidfeurs
If the generator always adds lower case letters to the passwords then one
should not be able to deselect the 'Lower Letters' checkbox. However these
options seem to work fine in the random generator so it would only make sense
to make them work in the pronounceable generator too.
Note: I tested this in both the fr_FR.utf8 and the C locales.
Nitpick: it should also probably be 'digits' rather than 'numbers'.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages keepassx depends on:
ii libc6 2.13-21
ii libgcc1 1:4.6.1-4
ii libqt4-xml 4:4.7.3-5
ii libqtcore4 4:4.7.3-5
ii libqtgui4 4:4.7.3-5
ii libstdc++6 4.6.1-4
ii libx11-6 2:1.4.4-2
ii libxtst6 2:1.2.0-3
keepassx recommends no packages.
keepassx suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
