The interview went to says:
Your goal is to make your password as random as possible, so anything that reduces randomness or entropy is going to reduce the effectiveness of your password
Is going to increase its bruteforceability
The Horror of LessPass - TWiT Netcast Network
Understanding our mistakes
We use patterns to create passwords with complex rules like _no consecutive vowels_ or _can't start with a number_.
We made two mistakes:
- First, we did not understand at the beginning that the entropy of the generated password increase the bruteforceability of the master password. I took the idea of password templates from
masterpasswordalgorithm. We misunderstood and took for granted what we read. - Then, it was to define
cvCVnsas template by default (consonms,vowels, etc.) instead of a more random one asx(full characters set).
On Open Source
And for anyone who thinks they do well at first, or who think that Open Source does not help. On the contrary, we believe that nobody does well at first, and thanks to the community scrutinity and critical studies of the code, this kind of tool becomes more robust the longer it lives.
How It Feels
The video is obviously a setbacks for us, especially after the euphoric past week where we went from ~100 to 1600+ stars, but we are glad that people review our code in depth and this came up early on.
Actions
We will use the full alphabet in the next version by default. We will probably increase the default length of generated passwords.
So in the future, we will describe (with drawings) the future algorithm and its implementation. We will simplify the code to helps everyone understand how it works. And we hope you will keep your eyes peeled for mistakes and stay critical to the code.
Best :heart:
guillaumevincent
All 3 comments
Hi @guillaumevincent, You'll probably have to devise a strategy for people to transition to the new algorithm from the previous one. So that they can still generate their previous password while being able to use the new algorithm (the typical scenario is for people wanting to change their password again using the new password).
abe33
on 17 Nov 2016
Hi @abe33 here is the strategy we discuss with @edouard-lopez :
- The interface will change and offer the possibility of generating a password with version 1 of LessPass or version 2 (pbkdf2 100k iterations, full alphabet and fix https://github.com/lesspass/lesspass/issues/84). Version 1 will be active by default with a warning of a future change.
- All the passwords saved on the connected version will integrate the information needed to regenerate passwords correctly. And when connected, it will use the version 2 for new passwords. So no change for connected passwords.
- Provide users with the ability to change their master passwords and migrate to the new version. https://github.com/lesspass/lesspass/issues/36
If you think there is a better way, do not hesitate
guillaumevincent
on 17 Nov 2016
I close the new version is online
guillaumevincent
on 25 Nov 2016
Related issues
edouard-lopez
·
4Comments
pbaity
·
3Comments
polarathene
·
4Comments
panther2
·
5Comments
FranzSkuffka
·
4Comments
Most helpful comment
Hi @guillaumevincent, You'll probably have to devise a strategy for people to transition to the new algorithm from the previous one. So that they can still generate their previous password while being able to use the new algorithm (the typical scenario is for people wanting to change their password again using the new password).