I’m the creator of LessPass, a deterministic password generator.
The core of LessPass is just not very difficult.
I’ve 2 strategies calc_entropy
and render_password
:
calc_entropy
transforms the grasp password + website + login into a really massive integer that I name entropy (I do not know if it is the suitable time period, but it surely represents my quantity of randomness in my system). It makes use of pbkdf2 100ok iterations.
render_password
makes use of/consumes this entropy. I’ve a loop that comes to select a personality from an inventory of desired characters because of the rest of a protracted division.
To you’ll want to have a char for every rule (lowercase, uppercase, digits, symbols) I at all times decide 1 character for every rule and I insert it in a pseudo-random manner within the generated password.
The element of the algo with an instance is accessible right here.
LessPass permits its customers to save lots of on a server profiles for his or her generated passwords to keep away from remembering websites guidelines. A profile appears like this:
{
"login": "my_login",
"website": "www.exemple.org",
"lowercase": false,
"uppercase": false,
"symbols": false,
"digits": true,
"counter": 1,
"size": 6
}
I wish to introduce a brand new performance by permitting the import of passwords from different password managers.
Think about that my previous password for www.instance.org is foobar.
I can generate a really massive quantity which after passing within the operate render_password
generated the password foobar (randomly generated entropy).
I wish to retailer within the password profile the distinction between the precise entropy and a randomly generated entropy which works via render_password generates foobar.
To generate the previous password, I calculate the entropy, apply the diff then render the password.
I did a naive poc right here
You probably have learn me to date thanks!
My query: to what extent do I improve the brutuceforcability of the grasp password if an attacker stole the LessPass database (he is aware of the diff) and stole the person’s password (he is aware of foobar) in contrast simply understanding the foobar password?