password audit function, is the display in Keepassium really reliable? #428
-
|
Hello, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
The question seems to mix up two different features: password quality estimation and password audit (both described here). Password audit indeed depends on "Have I Been Pwned" service. It answers the question "How many times this password can be found among known leaked credentials?" The answer does not say anything about password quality, only whether this particular password has been entered to a phishing page or such. This is a precise result returned by the online service, so you will get the same answer from different apps. In turn, password quality estimation works locally on device and tries to guess how complex the password is per se. There is no way to calculate this precisely, since we usually don't know how the password was generated. Instead, the estimation algorithm relies on certain assumptions which vary for different algorithms.
Either algorithm can be tricked to misrecognize a weak password as a strong one. But if any of them says the password is weak, you should definitely change it. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the detailed answer. However, it is not clear to me how my PW can be considered bad if my PW is of course (hopefully) never sent to “Have I Been Pwned”. |
Beta Was this translation helpful? Give feedback.
-
There is no need for online service to recognize weak passwords. For the "how", I will refer you to the presentation of Daniel Lowe Wheeler, the person who created the |
Beta Was this translation helpful? Give feedback.
There is no need for online service to recognize weak passwords. For the "how", I will refer you to the presentation of Daniel Lowe Wheeler, the person who created the
zxcvbnlibrary: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler