2.6 Basic Configuration—Strength Estimate
This progress bar displays an estimated strength of passwords generated by the current configuration.
This strength matches the method of generation, not necessarily the passwords themselves. If you get so unlucky as to randomly generate the password "password password password", then your password is NOT strong, no matter what this strength meter says.
Normally, however, this meter will show you a fairly accurate strength. Note that the built-in entropy estimate from KeePass itself will often be higher than the value shown here. That is because, KeePass's entropy meter assumes a brute-force of all characters in your password. But in reality, the password will be guessed by combining words, so the strength meter in this plugin reflects that attack method.
The strength of your password is determined from the calculated password entropy as follows, to match the quality estimate given by the KeePass author:
| Bits | Strength | Should protect you from...¹ |
|---|---|---|
| 0-64 | Very weak | ...a person typing your password when you step away from your computer. |
| 64-80 | Weak | ...an individual hobbyist or researcher for a few years, or a large organization/agency² for a few months. |
| 80-112 | Moderate | ...a large organization/agency² for the next several years. |
| 112-128 | Strong | ...a large organization/agency² for decades or more. |
| ≥ 128 | Very strong | ...just about anything² for the foreseeable future. |
Note, these strengths assume very fast cracking speeds in an off-line attack. This is probably a good assumption for most websites, where you can't know how secure their password storage system is.
However, for systems you KNOW are secure, such as the master password for most reputable password managers, something like this may be more accurate:³
| Bits | Strength | Should protect you from... |
|---|---|---|
| 0-36 | Very weak | ...a person typing your password when you step away from your computer. |
| 36-50 | Weak | ...an individual hobbyist or researcher for a few years, or a large organization/agency² for a few months. |
| 50-64 | Moderate | ...a large organization/agency² for the next several years. |
| 64-90 | Strong | ...a large organization/agency² for decades or more. |
| ≥ 90 | Very strong | ...just about anything² for the foreseeable future. |
Since Word Sequencer does not know where you'll be using these passwords, and since the first table is what comes with KeePass itself, the first table is the one used for the strength bar.
¹ KeePass's strength categories are based off ECRYPT II Yearly Report on Algorithms and Keysizes, which implies this level of protection in their rating of various encryption key strengths, plus it is easy enough to calculate estimated times to crack based off 350 billion guesses/second for researchers and 1 trillion guesses/second for large organizations. Those numbers were probably decent estimates in 2013 for how many guesses an attacker could throw at a stolen database, and can be roughly scaled using Moore's Law for present day.
² If you are unlucky enough for a coordinated criminal organization or government agency to target you specifically, a strong password probably isn't actually going to help that much. Your password may be safe from a brute-force attack, however targeted attacks such as these are more likely to simply hit you with a zero-day browser exploit to install KeeFarce or some other specialized attack. That, or use less subtle methods. That said, if a sophisticated gang steals your email provider's hashed password database, and is only doing a bulk attack to grab as many credentials as possible from the stolen database, the password strength can be important as shown above.
³ A good password hash such as bcrypt can decrease cracking speeds from hundreds of billions or more guesses per second down to a few million guesses per second or slower for security researchers. This HUGE slow-down makes all the difference in the world; passwords crackable NOW in a few days with a weak hash, could take centuries with a good hash. The table for "securely stored passwords" was generated assuming a researcher can do about 10 million guesses per second, based on the fact that in 2012 a speed of about 71,000 bcrypt guesses/second was achieved, and both methods and hardware have improved since then.