The interview went to says:
Your goal is to make your password as random as possible, so anything that reduces randomness or entropy is going to reduce the effectiveness of your password
Is going to increase its bruteforceability
The Horror of LessPass - TWiT Netcast Network
We use patterns to create passwords with complex rules like _no consecutive vowels_ or _can't start with a number_.
We made two mistakes:
masterpassword
algorithm. We misunderstood and took for granted what we read.cvCVns
as template by default (c
onsonms, v
owels, etc.) instead of a more random one as x
(full characters set). And for anyone who thinks they do well at first, or who think that Open Source does not help. On the contrary, we believe that nobody does well at first, and thanks to the community scrutinity and critical studies of the code, this kind of tool becomes more robust the longer it lives.
The video is obviously a setbacks for us, especially after the euphoric past week where we went from ~100 to 1600+ stars, but we are glad that people review our code in depth and this came up early on.
We will use the full alphabet in the next version by default. We will probably increase the default length of generated passwords.
So in the future, we will describe (with drawings) the future algorithm and its implementation. We will simplify the code to helps everyone understand how it works. And we hope you will keep your eyes peeled for mistakes and stay critical to the code.
Best :heart:
Hi @guillaumevincent, You'll probably have to devise a strategy for people to transition to the new algorithm from the previous one. So that they can still generate their previous password while being able to use the new algorithm (the typical scenario is for people wanting to change their password again using the new password).
Hi @abe33 here is the strategy we discuss with @edouard-lopez :
If you think there is a better way, do not hesitate
I close the new version is online
Most helpful comment
Hi @guillaumevincent, You'll probably have to devise a strategy for people to transition to the new algorithm from the previous one. So that they can still generate their previous password while being able to use the new algorithm (the typical scenario is for people wanting to change their password again using the new password).