Keepassxc: Password Generator - Unable increase the password size more than 128 characters
Overview
I have the problem with version 2.6 of keepassXC to generate passwords with more than 128 characters, due to the fact that I handle for security longer lengths (between 250 to 999).
Steps to Reproduce
- Open the Password Generator
- Go to the password length field and enter the size.
- Just let you write up to the number 128.
Expected Behavior
Before I could create passwords password generator with a size of up to 999 characters.
Actual Behavior
Now, I can only create passwords with the password generator with a size of up to 128 characters.
Context
Now I can not update the entries with passwords created to the length that was previously, because the password generator has the limit of 128 characters. I would appreciate it if you take into account this feature again where the generator could create passwords of up to 999 characters.
_Thank you very much and best regards._
KeePassXC - Versi贸n 2.6.0
Revisi贸n: 0765954
Qt 5.15.0
Modo de depurado deshabilitado.
Sistema operativo: openSUSE Tumbleweed
Arquitectura de CPU: x86_64
N煤cleo: linux 5.8.0-1-default
Extensiones habilitadas:
- Autoescritura
- Integraci贸n con Navegadores
- Agente de SSH
- KeeShare (compartir firmado y sin firmar)
- YubiKey
- Integraci贸n de servicio de secretos
Librer铆as criptogr谩ficas:
libgcrypt 1.8.6
ghost
All 5 comments
No additional protection is given past 64 characters in almost all scenarios. Passwords are hashed on websites and those hashes are 64 characters or shorter. Additionally, the bcrypt algorithm has a max length of 50-72 characters. https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
droidmonkey
on 22 Aug 2020
Hello
Excuse my insistence, but is it possible that the password generator in KeepassXC can create passwords with lengths greater than 128, if there are other generators that allow it (in CLI: pwgen, in GUI: keepass)? I know that for most of the scenarios a length handling of 128 is sufficient, but I think that it should not be limited, since in some cases like with LUKS you can use passwords with lengths of 512 characters.
A greeting
ghost
on 1 Sep 2020
There is absolutely no point in generating passwords that long. Even if LUKS allows passwords that long, there is nothing to be gained, assuming the KDF/hash function is somewhat decent (which in the case of PBKDF2/bcrypt and Argon2/Blake2 we can do).
The encryption is done with AES using a 128-bit block size and a 128-256-bit key. That is, your search space for guessing the korrekt key is 2256 (you need half that on average if guessing randomly). A 512-character ASCII password with only numbers, uppercase and lowercase letters would on average need 62512-1 guesses. That's somewhere in the order of 10915. The atoms in the universe are estimated somewhere at 1082 for comparison. So there is absolutely no point in trying to guess that password when it is so much easier to just guess the transformed 256-bit AES key instead. With 8 billion guesses per second, you'd be done in about 2x1059 years instead of 3x10898. Easy.
phoerious
on 1 Sep 2020
I also face this issue. I strongly suggest increasing the limit back to what it was before.
In some cases, long passphrases of 512 characters are mandatory where there is no hash being applied, for example in the case of a plain dm-crypt volume (no LUKS header).
Please remove this arbitrary limitation. There is no valid reason to impose this kind of limit upon the user.
glubsy
on 15 Sep 2020
Did you even read my response? There is no way you need 512-character passwords unless you are trying to create a one-time pad.
phoerious
on 17 Sep 2020
Related issues
Throne3d
路
3Comments
bleepnetworks
路
3Comments
clementlesne
路
3Comments
lostfictions
路
3Comments
JosephHatfield
路
3Comments