Cryptomator: Feature: Actively encourage "safe passwords" in interface.

Created on 3 Oct 2019 · 4Comments · Source: cryptomator/cryptomator

Please consider impleneting a GUI feature, that encourages using strong passwords.

More specifically, while the indicator is useful to warn about particularly weak passwords, it won't help users who have bad ideas about password safety. Notably, it will claim that "H3llo123" is a better password than the random-word sequence backed derrick buckling mountains glove client procedures desire destination sword hidden ram escalation rounding meaning strain owe thus aspect indicate matter. (For the record, I haven't used that one ;) )

Background

When I noticed, that they keyfile is being stored in the cloud, I started hunting down information about practices to mitigate the risk of brute-force attacks. Despite relatively good knowledge on applying encryption from over a decade of reading tech articles ehem, I found myself stuck with the idea of using a rememberable password for fear of losing access.

After cross-linking the information of "Why is the master key stored in the cloud", "Password Advice" and "Security Architecture", I finally figured, that I'll best use a long random password stored in a password manager, for which the keyfile is not cloud-accessible.

Knowing, that most of my friends still won't remove themselves from the idea that "H3llo123" is a secure password, I'm going to assume that many users will gravitate towards bad practices for their passwords.

It might be worth considering to include the recommedation for using a sufficiently long randomly generated password and a password manager into the "Change password" and "Create New Vault" GUIs, possibly with a random-alphanumeric-string generator. (How many characters would be considered secure actually?)

blocked feature-request upstream-bug

Source

kbauer

Most helpful comment

I just debugged zxcvbn (that algorithm to rate password strength) and found out that while backed derrick buckling mountains glove client procedures desire destination sword hidden ram escal is perfectly strong, backed derrick buckling mountains glove client procedures desire destination sword hidden ram escala is _too_ strong:

It leads to an overflow in the strength calculation. 😂

Regarding the "recommendation": We plan to include links to the documentation in several places of the UI. Tips for a good password choice are certainly a relevant information that we should include.

A password generator is not currently planned, I see some problems here with people just blindly generating a password and forgetting it the next day. Therefore they should rather use the password generator included in their password manager or (while not recommended in most cases) a password they came up with themselves.

overheadhunter on 4 Oct 2019

😄2

All 4 comments

It leads to an overflow in the strength calculation. 😂

Regarding the "recommendation": We plan to include links to the documentation in several places of the UI. Tips for a good password choice are certainly a relevant information that we should include.

overheadhunter on 4 Oct 2019

😄2

@overheadhunter
A small question:
are we discussing entropy bit here or a special quality estimation algorithm like that in KeePass

Riajyuu on 11 Dec 2019

The latter. See zxcvbn.

overheadhunter on 11 Dec 2019

We plan to include links to the documentation in several places of the UI.

This will be added in 1.5.x. The minimum password length (mainly driven by GDPR requirements) is implemented in #1018 and the strength overflow is something that needs to be fixed upstream.

overheadhunter on 12 Feb 2020

Was this page helpful?

0 / 5 - 0 ratings