Passky-Server
Passky-Server copied to clipboard
Rabbit-Company
Calculate entropy of new account password, instead of asking for certain characters
Describe the bug I am trying to create an account, using a passphrase with a very high (>150bits) entropy. Passky rejects my passphrase, because it doesn't contain any number nor special characters.
To Reproduce Steps to reproduce the behavior:
- Go to https://vault.passky.org/register
- Fill out all fields with some value, and the "password" field with: "scariness untying demeaning algorithm alive stingray"
- See error: "Password must be at least 8 characters long, contains at least one uppercase, one number and one special character: @ $ ! % * # ? & , _ ( ) = - ."
Expected behavior Being able to register with this very strong passphrase
Desktop:
- OS: Windows 10
Hello,
Thanks for reporting a bug.
Password strength policies are applied to prevent users from using insecure passwords. If I remove them, then users would be able to use insecure passwords.
One of the main goals of Passky is to be unbloated and easy to use. It would require a lot of unnecessary lines of code to calculate good entropy. It's much more secure for the user to use numbers, special characters and upper case characters than passphrase "password password password password password" as an example.
You can use passphrases without any spaces and put a number and special characters at the end, so the password would comply with policies.
It would also be better to use only the first 2 or last 2 characters of every word in the passphrase for a password. As you would create a strong password that won't be included in any wordlist or English dictionary.
Example: Passphrase: Fish Full Choice Admire Worse She Production Generated Password: Fifuchadwoshpr443!
I will close this issue, but if you have any comment feel free to open it again.
@zigazajc007 I understand for the unbloated part and the fact that calculating entropy might be tedious or overkill, but I would like to stress that P@ssword123 would match with Passky's password policy, while still probably being one of the ten first password an attacker would try.
What it means is that if we could use a passphrase, we could use password password password password, but your rule doesn't prevent bad passwords neither. If a user doesn't know about passwords best practices, they'll just use a bad password easy to brute force.
Now, maybe we could find a middle ground, like adding a rule saying that the password should at least contain two different character types, and be long enough — say, 16 or 20 characters long?
Thanks, you can expect a change in password strength policy in the next update.
Passky Server has just been updated to v6.1.0. This version has a simple web page that would show you some info on how to use Passky and also it would report you an error or a warning if it's found.
Example: https://eu1.passky.org
Now I will be able to start working on Passky Clients. Password strength policy will be changed when Passky Client will be updated.
Thanks again for your patient.
I have made a simple JS library for calculating Password Entropy. Test Website: https://passwordentropy.rabbit-company.com Source Code: https://github.com/Rabbit-Company/PasswordEntropy-JS
Currently I have set that 80 bits are minimum. If anyone have other suggestion feel free to provide it.
