Univention Bugzilla – Bug 45775
Display password quality interactively
Last modified: 2020-07-14 11:25:30 CEST
+++ This bug was initially created as a clone of Bug #45774 +++ +++ This bug was initially created as a clone of Bug #45773 +++ +++ This bug was initially created as a clone of Bug #45772 +++ The BSI recommendations on passwords suggest to display the password quality interactively while the user is typing it: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m02/m02011.html This would enhance the security in key scenarios greatly because school districts often suffer from hacked user accounts.
To display the quality of a password we first have to settle on a way to determine a passwords quality. There are lots of different criteria/policies that score a password from unsafe to safe. Many of them include policies like minimum length, requiring to include lower, upper, special characters etc. A common denominator among most password evaluation programs is calculating the entropy of a given password. It is calculated by H = log_2(N^L) = L*log_2(N), where H is the entropy in bits, L the length of the password and N the size of the passwords universe. The interpretation is as follows: If a password has a strength (entropy) of H=6 an attacker would need 2^6 tries to check every possible password during a brute force attack. So we could create an easy calculation to display the time needed to crack a password of given entropy H: T = 2^H * t * 0.5, where T is the estimated crack time, H the entropy and t the time needed for one guess. The term *0.5 is included since we want to calculate the average crack time and not the time needed to explore the complete password space. All this calculations have one major caveat: They require truly random passwords. Humans though tend to use patterns in their passwords like names, spatial patterns, etc. This decreases the entropy of a password significantly! For this reason there exist these various types of policies in an effort to force more entropy into a humans process of creating a password like mentioned in the beginning. And this is where libraries and policies start to differ significantly as well. The problem now is, that many of these policies hardly increase entropy or even prevent users from creating safe passwords. Since a picture explains more than a thousand words: https://xkcd.com/936/ The requirement for a good password strength calculation is now to calculate the entropy of a password with respect to the non random nature of humans. One very promising js library that completely works in the browser is zxcvbn, which was created for Dropbox and incorporates a lot of thought about the caveats of entropy into its process. It is also quite lightweight (ca 400KB gzipped including dictionaries) and features a full fledged article of the author telling everything I summarized here and explaining the lib in detail. There are two things to keep in mind with this library: - The provided dictionaries are english only and would have to be extended or replaced with german dictionaries (Wikipedia and such pages can be used to query most used words etc.) - This library has no support for any password policies whatsoever since this contradicts in some way the premise of the library (Including policies like password length, requiring certain charcter types etc could be implemented on top. This would give us policies if necessary but maintain the "superior" strength calculation done by the libs approach) Repo: https://github.com/dropbox/zxcvbn Article: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
I forgot to append to more sources I used for research: https://en.wikipedia.org/wiki/Password_strength https://tools.ietf.org/html/rfc4086