Increase entropy required for a "good" rating to 75.

[libklein]

Raise the bits of entropy required to classify as a "good" password to 75. Fixes #8519.

I'd propose to properly separate m_score and m_entropy logic: currently, m_score is initialized with the entropy and "points" are then deducted based on password reuse and expiry date. I think it would be more straightforward to set the score independent of entropy, implement different quality thresholds for both values and return the minimum quality class reached.

[droidmonkey]

I agree, conflating score and entropy is not good behind the scenes. We should give points for the rating scale (-2, -1, 0, 1, 2) something like that. Then proceed with the rest of the scoring process at that scale level.

I didn't realize we also reduce score for expiring passwords, that should be a separate presentation to the user. A date does not make a password bad.

[libklein]

We should give points for the rating scale (-2, -1, 0, 1, 2) something like that. Then proceed with the rest of the scoring process at that scale level.

Also, right now password reuse decreases score (which starts initialized to the entropy) linearly (by "15" for each reuse). I see the motivation behind doing this: the probability of a password leak increases linearly with the number of sites it's used for. Also, better password are less likely to be cracked, hence the initialization. Still, i think that this is pretty arbitrary.

I think we have the following options:

• Always mark reused passwords as bad
• Always mark reused passwords as bad, reduce the score based on password age (initialized with the entropy)
• Score starts as excellent (or the entropy) and is reduced for reused passwords based on password age and the number of occurences (on a linear scale)
• Keep the default behavior

I didn't realize we also reduce score for expiring passwords, that should be a separate presentation to the user. A date does not make a password bad.

What about expired passwords? Should we mark them as bad in the health check?

[droidmonkey]

It is hard to make a metric for such varied reasons for "bad". An expired password is not inherently bad, it's a potentially good password with metadata saying it needs to be changed.

The purpose of the score is to show on the reports view. I think it would be far better to show the general entropy rating and icons for each metadata attribute: reuse, expiring/expired, etc.

[codecov-commenter]

Codecov Report

Base: 64.41% // Head: 64.43% // Increases project coverage by +0.02% 🎉

Coverage data is based on head (b55a59a) compared to base (eaa363d).
Patch coverage: 20.00% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #8523      +/-   ##
===========================================
+ Coverage    64.41%   64.43%   +0.02%     
===========================================
  Files          339      339              
  Lines        43953    43953              
===========================================
+ Hits         28309    28319      +10     
+ Misses       15644    15634      -10     

Impacted Files	Coverage Δ
src/core/PasswordHealth.cpp	60.34% <20.00%> (ø)
src/core/Entry.cpp	82.65% <0.00%> (-0.10%)	⬇️
src/fdosecrets/dbus/DBusMgr.cpp	53.67% <0.00%> (+1.47%)	⬆️
...rc/fdosecrets/widgets/SettingsWidgetFdoSecrets.cpp	59.09% <0.00%> (+3.03%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[droidmonkey]

Let's clean up the scoring process in another PR for 2.8.0