keepassxc-cli estimate shows different value for passphrases than our passphrase generator

[phoerious]

Expected Behavior

keepassxc-cli estimate and our passphrase generator should show the same entropy estimate for the same passphrase.

Current Behavior

Passphrases entered into keepassxc-cli estimate are analysed and estimated as passwords.

Possible Solution

Try to detect passphrases or add an explicit option.

Context

The alphabet definition for passphrases is different, hence different entropy values.

Debug Info

KeePassXC - Version 2.4.0-snapshot
Build Type: Snapshot
Revision: a4c6529

Libraries:

• Qt 5.11.2
• libgcrypt 1.8.3

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 4.18.9-arch1-1-ARCH

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• YubiKey

[TheZ3ro]

I don't really agree, and this is not an easy subject (as every other entropy-related issue like #867 and #2061).
For my motivation see my comment here #867 (comment)

I think at this point we should divide the entropy calculation the following way: (like proposed in #2061 (comment))

Generators -> display the "exact" entropy from their source, and based on their options (for example the Password generator set to only uppercase letters with length 5 should display 26^5 equivalent)

Analyzers (like the cli one) -> display the "observable" entropy without knowledge about the source (doesn't matter if the password came from a diceware list or from another only-uppercase generator because we don't know and the attacker doesn't) using zxcvbn

The other possibility is to use zxcvbn everywhere