Add configurable password strength check on database password #9782
Conversation
|
Looks good to me! @phoerious |
A security aware user would use the available strength indicator and set a strong password anyway. A security unaware user would not be aware of this setting either. They would need someone to set it for them. So I see very little utility to this if the default is 0. If this affects only the master password, maybe bettter set it to 3 by default? Or hardcode it: simply don't accept a master password that is less than Good. |
|
Has to be a setting and it also has to be overrideable at the point of alert. For example, all my test databases have the password |
I agree. I was a bit conservative about this new feature so I proposed it as an opt-in, but surely setting the default to 3 is more secure by default. So, in the last changes, database passwords are rejected unless they are Good. Users can override this feature by adding the |
|
We were also considering a warning when the password is less than optimal. That could be added the same way with a default of at least 3. |
Okay. With the last changes, a warning for less than Good passwords is showed by default (hardcoded), letting users to continue anyway if they want: By setting the |
|
I think now it should be ok! I was having some issues in passing tests since the new warning dialog wasn't expected. I changed Sorry for the tons of commits! 😅 |
egglessness
force-pushed
the
develop
branch
from
f2d9bee
to
ff742fa
Compare
|
Hi, will this be included in the next version of KeePassXC? |
egglessness
force-pushed
the
develop
branch
from
ff742fa
to
d889065
Compare
|
Most likely, we aren't in a rush to release the next version. |
|
Will get this in very soon, sorry for the wait |
a master password that is less than Good)
|
don't see it in Version 2.7.7 or am I missing something? Thanks |
|
This feature was not backported to 2.7.7 |
|
we would have needed this to get approval for distribution within the company. When is this planned for please? |
|
As of right now, 2.8.0, but we may end up doing a 2.7.8. |
* Set default value of DatabasePasswordMinimumQuality to 3 (do not accept a master password that is less than Good) * Add custom message box button "Continue with weak password"
|
don't see this feature in change log for 2.7.8, I guess it did not make it yet? |
|
It did, just missed the text |
|
great, thanks for that! It is a bit confusing that with enforced password handling you will first get the prompt stating "week password...do you really want to ....." and only after you click on "yes" you get the "bad password" message, this could already have been the initial message. But this is only nice to have....thanks again! |
|
I am sorry to ask, but I dont get it to work. Version 2.7.8. Added "DatabasePasswordMinimumQuality=3" to [Security] in keepassxc.ini located in Roaming folder. Warning for weak password appears, but after this is not being rejected. |
|
It's on by default, and if you see the warning message, then it is working fine. There is a slight bug when editing encryption settings, the warning appears erroneously. |
|
I want that this message appears: |
|
That was not implemented by choice |
|
OK, I was a little bit confused due to comment of WernerMue. Thanks for assist and your application. |
|
Sorry I was mistaken, it is implemented. The setting needs to be: Where 2 corresponds to Weak, can be anything less than 4 You will need to restart the application after manually editing the config file. Also, you need to acknowledge the weak password dialog first with this implementation. |
|
I tried this on 3 different devices now. I am not able to make this function work. |
|
I remember I had something similar and had to add it to the second keepass.ini file in local also, not only roaming appdata directory. Thought that I messed something up while testing and did not care, but maybe it is worth a try |
|
Hi @itsenaf, To properly set the restriction of the minimum password quality for the database, you should add the following lines into the local configuration file (not in roaming) in [Security]
DatabasePasswordMinimumQuality=2If you want, you can also use this Powershell script I made some time ago to enforce specific settings into the configuration of KeePassXC. |
|
Worked! Thank you so much. Also for your script. |
|
I found a bug related to this function. |
|
This is fixed on develop branch |
|
Hello everyone. I am still confused how to implement or configure this. Can you give me a short description where to go and paste and to do |
I still don't understand the process |
|
Are you managing the application for an enterprise? If not, then don't worry about this. If so, read the first post it is very clear. |
Yes I will be managing it for an Enterprise. |
Hi @Learninginfo, Please, refer to this comment. |
I see this but am not sure how it works. I have to write a documentation how the admin of the Enterprise. will manage it |
Fixes: #8190
KeepassXC does not provide a way to enforce the minimum strength of the database password, allowing users to pick easy to crack passwords.
Although I see the point of @droidmonkey (#8190), I also believe that quality checks on the master password may be useful, especially when one wants to advocate the usage of this tool to non-security aware users.
For this reason, I added a new setting in the configuration file to enforce the minimum quality that a database password must have in order to be accepted, as follows:
The values of
DatabasePasswordMinimumQualitymap to the values ofPasswordHealth::Quality:This setting is set to 0 by default, meaning that the behaviour of KeepassXC won't change when creating/changing the password database. However, it can be enabled with the appropriate value when needed.
Screenshots
Testing strategy
Manual testing
Type of change