Bug 163072

Summary: Password strength meter too high for short passwords
Product: [Frameworks and Libraries] kdelibs Reporter: dionisus torimens <djtm>
Component: kwalletAssignee: Unassigned bugs mailing-list <unassigned-bugs>
Status: RESOLVED WORKSFORME    
Severity: wishlist    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:

Description dionisus torimens 2008-06-02 16:11:35 UTC 
Version:            (using KDE 4.0.4)
Installed from:    Ubuntu Packages
OS:                Linux

I can get an almost full strength bar with 5 characters and a full one with 6, even with the last two being equal numbers.

This gives a false sense of security.

Most experts agree that passwords should have at least 8 characters to be secure:
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords ("12 to 14")
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html ("at least 8")
http://www.itd.umich.edu/itcsdocs/r1162/#guide ("at least 9")
http://news.bbc.co.uk/2/hi/science/nature/2061780.stm ("at least 8")
http://www.securityfocus.com/infocus/1537 (6-9)
http://www.microsoft.com/protect/yourself/password/create.mspx (8 or more, recommend 14 or more)
Comment 1 dionisus torimens 2008-06-06 06:13:36 UTC 
Bug mostly fixed in KDE 4.1 beta1 AMD64 (Ubuntu).