Dynamic minimum master password length from pass properties

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Dynamic minimum master password length from pass properties

Postby MathijsRiezebos » Thu Nov 22, 2018 12:07 pm

Following this forum post, I want to submit a formal feature request:

Request
Please change your master password requirements to something more flexible.
I do understand that you need your master password to have a certain complexity, because you don't want it to be easily guessed by a machine nor a social engineer, but I do not agree that a password must adhere to any specific requirement safe for a minimum length. Length is very effective and does not necessarily decrease the user's ability to remember the password.

My proposed change was, according to my post in the [Feedback] section:
A requirements system for passwords in which the minimum password length depends on the number of optional requirements that are fulfilled.

Optional requirements:
  • Capital letters
  • lowercase letters
  • numbers
  • special characters ("!", "?", "@" etc.)
  • very special characters ("(", "{", "[", "¿", and any other character that is allowed)
    [/list]

    Number of optional requirements fulfilled -> minimum password length:
    1. 32
    2. 22
    3. 16
    4. 12
    5. 10

    So, for instance, if someone uses only lowercase letters, numbers and special characters in their password, their minimum password length is 16 characters.


The idea is that this is implemented with a dynamic menu that lists the optional requirements on the right and visually/graphically emphasizes to the user that their usage of different types of characters decreases their minimum pass word length, which should also communicate to the user that a very long password can be just as safe as a very short password with lots of weird characters.

Additionally
Perhaps you could do an analysis on the "words" used in the password and the likelihood of a machine guessing these words as well. Because, arguably, passwords that use correctly spelled English words are way easier to guess by machines using dictionaries as I also calculated/explained in the [Feedback] section.
The possible password:
Code: Select All Code
th3qu1ckbr0wnf0xjump50v3rth3l@zyd0g

would be a lot harder to guess than:
Code: Select All Code
thequickbrownfoxjumpsoverthelazydog

, even though common letter-for-character or -number substitutions are pretty well known.
  • Take the letters "a", "e", "i", "o" and "s" as commonly substituted letters (substituted by "@", "3", "1", "0" and "5"). According to this source, they make up +- 42% of all letters used in the English language.
    That means that, for every 5 letters that a password consisting of English words, but with possible common substitutions has, the number of possibilities is approximately quadrupled.
    • For a password with length 30, the number of possibilities is then multiplied by 4096.
      Keep in mind that this example is only for 5 common substitutions. If you, for instance, substitute the t with 7 and/or the b with 8 or & or use even more obscure substitutions this multiplier keeps increasing.
Of course, this only really works if users do not consistently substitute but skip certain possible substitutions inside their passwords.
Using upper- and lowercase letters mixed can be even more efficient.
For instance:
Code: Select All Code
th3quickBrownf0xjump5ov3r7h3L@zydog

Would be super safe. But I'm actually starting to wonder how hard it would be to remember. I guess I drifted off-course a little. :)

Finally, based on this analysis, you could alter your password scores for the master password as well as vault-stored passwords for other sites and based on this score, perhaps the minimum length could also be re-calculated?¿?
MathijsRiezebos
 
Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

Re: Dynamic minimum master password length from pass propert

Postby MathijsRiezebos » Fri Nov 23, 2018 4:22 am

EDIT:
A probably more accurate/functional list of minimum password length values would be as follows:

Number of optional requirements fulfilled -> minimum password length:
1. 22
2. 13
3. 9
4. 8
5. 8 (also for 6 or more optional requirements)

This would serve to illustrate to users how effective passphrase length is vs. adding extra characters to their password even better.

Note: of course if these numbers are too low for LastPass' standards, they can all be increased by, say, 3 or 4. The values here are just an example to illustrate the idea.
MathijsRiezebos
 
Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

Re: Dynamic minimum master password length from pass propert

Postby jpenny84 » Fri Nov 23, 2018 1:06 pm

Let's keep this discussion to one thread please: viewtopic.php?f=6&t=317665
jpenny84
 
Posts: 8381
Joined: Tue Mar 06, 2012 9:10 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 8 guests