Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Increase minimum master password length #8190

Closed
markusd112 opened this issue Jun 23, 2022 · 6 comments · Fixed by #9782
Closed

Increase minimum master password length #8190

markusd112 opened this issue Jun 23, 2022 · 6 comments · Fixed by #9782

Comments

@markusd112
Copy link

Overview

It is possible to create password databases with a master password length of only 1 character, which is absolutely insecure. The german magazine „Stiftung Warentest“ has given KeepassXC a bad score because of this issue.
Please set a minimum password length that is secure or give a warning to the user if the master password is too short.

See actual Test magazine:

https://www.test.de/Passwort-Manager-im-Test-5231532-0/

@markusd112 markusd112 added the bug label Jun 23, 2022
@droidmonkey
Copy link
Member

We got into a debate about this on Matrix. Personally, I find this to be an asinine finding from the magazine and to rate us poorly because of a user choice / option. The underlying encryption is still just a secure of you use a 1 character password over a 100 character password. What becomes insure is the possibility of an attacker, who has access to your database file, to more easily guess your password through brute force.

The user can choose to do what they want to afford them the security they want. Whether we restrict the password length to some minimum or supply a warning is irrelevant. They can use any other keepass app to set a single character password and can also just set it to 123456. At the end of the day, why the heck do I care what they decide to set it to?

I can see this argument much more if we were a cloud service and third parties could remotely brute force the authentication. But we are not, you need the database file to even start to do anything.

@markusd112
Copy link
Author

Yes, I understand that. The magazine is explaining it in the text that KeepassXC is absolutely secure when a using a cryptic password with a good length. So maybe some user information that is displayed when choosing a short password would solve the „problem“.

@michaelk83
Copy link

Done in #7885

@h1z1
Copy link

h1z1 commented Jun 27, 2022

Conveying anything about the password in effect weakens it because you're also leaking the policy exists at all.. and limits the attack required. The one character may be trivial but knowing it means you don't have to even try them.

@phoerious
Copy link
Member

The one character may be trivial but knowing it means you don't have to even try them.

Doesn't really matter, the search space of such trivial passwords is way too small that it bears any significance.

The next dot release will feature a warning for small passwords and we will think of something else for the next feature release.

@michaelk83
Copy link

The next dot release will feature a warning for small passwords and we will think of something else for the next feature release.

Personally, I think the strength indicator is enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants