password-manager-resources
password-manager-resources copied to clipboard
apple
Add 2 new rules and 1 new option for greater flexibility
Hey everyone!
I recently finished my Masters Degree and my dissertation was about "SmartPasswords: Increasing Password Managers’ Usability by Generating Compliant Passwords".
In this project, we built a prototype of a password manager that could interpret password rules and generate compliant passwords. We based our work on this repo and mainly, the rules and the parser.
During the development of the project, we came up with some improvements that we now would like to share with you, and hopefully, have them incorporated here :)
You can view our repo here.
Contributions
New Rules
-
blocklist- indicates password managers to check the generated password --- and any substring of it --- against a list of forbidden passwords. This behaviour is suggested by researchers [1] . This rule takes two values:-
default: the password manager will check the password against a list of the top 100k most used passwords, according to SecLists -
hibp: the password manager will check the password against Have I Been Pwned's list, which contains more than 500 million passwords.
-
So if the default list contains the words hello, world, and 123, with the blocklist: default; rule present, passwords that contain any substring that matches these 3 words should not be generated.
-
minclasses- allows the specification of the minimum number of character classes that must be present in the password.- This rule takes 4 values:
- 1, which is the default --- every password must contain, at least, 1 character class
- 2
- 3
- 4
- This rule takes 4 values:
So, for the rule minclasses: 2; the password can have a combination of any two character classes. From our understanding, this was not achievable with the base rules established here. This allows for the description of common research policies, such as 3c8 --- at least 3 character classes and a minimum length of 8.
New Option
We also added a new option: allow the specification of a range for both characters and character classes.
To use this option, one only needs to add parenthesis followed by the minimum range and the maximum range ---
<custom_character_class>(minimum_range, maximum_range) | <character_class>(minimum_range, maximum_range)
This allows for greater flexibility to express more restrictive policies.
Example
required: upper (3, 5); required: [aeiou](5,5); allowed: special (0,4); lower; minlength: 14;
The password must contain at least 3 uppercase letters and no more than 5 The password must contain exactly 5 lowercase vowels The password can contain, at most, 4 special characters The password can contain lowercase letters
This new option also allows for the translation of all Google's API records to the Password Policy Rules formats. Because Google's API has constraints regarding minimum and maximum frequency of character classes, this new option would facilitate the translation, mentioned in this issue.
Misc
- npm package with a typescript version of the parser used here. This package has the base parser of this repo, as well as our additions to the rules and their respective parsing.
Hopefully, our work can be a valuable addition to this amazing project.
I am available to discuss further details :)
Hello @mikibakaiki! Is there any chance you could share a link to your paper, "SmartPasswords: Increasing Password Managers’ Usability by Generating Compliant Passwords"?
Hey there @peterstory :) Sorry for the late reply!
Here is the link for my thesis. I would suggest you look into the thesis itself because it is more detailed than the extended abstract :)
@mikibakaiki Thank you for sharing that link! However, I see a message that:
Thesis documents not publicly available yet
Any idea when the thesis document itself will become available?