Password strength

Hello, i think that passwords used in syncthing should have some basic quality checking before being applied.

Currently it is quite easy to accidentaly sync data to untrusted node with very weak password (eg. single lowercase character). Which in some cases might be hard or impossible to undo (once you leak data, you cannot unleak them).

I think there should be 3 modes:

CARELESS: any password will do

MEDIUM: at least 8 characters, at least one numeric character, at least one letter

HIGH: at least 10 characters, at least one numeric, at least one lower case letter, at least one upper case letter, at least one special character

User would be able to choose from these modes in ADVANCED configuration menu. With MEDIUM being the default. It would be possible to configure different mode separately for data encryption and for login to web GUI.

So i can have eg.: Medium for data encryption and High for UI login.

That way if people want to use something less than MEDIUM strength, they would need to go through all the red warnings and exclamation marks that are in advanced config menu.

1 Like

Any requirements on “types of characters” will not make it into Syncthing without explicitly overruling me - though I don’t think that’s a realistic scenario, I would guess my co-maintainers are on the same page here.

A minimum password length, against “accidental” entry, maybe.
I am generally not a fan of any password requirements, because people that use shitty passwords will also have shitty security hygene anyway - “123456789abcdefg” isn’t much better than “ciwm”, and the former passes a length test, the latter not. Basically anyone should use a PW manager and we won’t ever have to think about this annoying topic again.

4 Likes

Me neither. However in syncthing it seems almost too easy to share data encrypted by shitty password.

It seems to me that required password complexity is usualy inversly proportional to severity of protected data. My bank has relatively low upper limit for password strength, while registering on some random blog will require 128 characters, while some of them being mandarin. I think syncthing would deserver at least some basic mollyguard. But i absolutely think we should not go overboard with this. Put too much limits on password strength and people will come up with shitty passwords and shitty ways to manage them just because such passwords are hard to remember.

Well. Might make sense. Just put two integers to the advanced config. Length of GUI password and length of encryption password. They can default to 8 or 10, but user will be able to set anything else if needed.

1 Like

I am happy with the suggestion of using some policy, whatever the policy may be is up for discussions.

We already have enough useless knobs in the config, I don’t think we should add new ones.

3 Likes

Me neither. However I would be fine with adding a strength indicator in the UI and showing a validation warning of some kind when the password entropy (measured however we like) is too low.

4 Likes

“Good” password strength meters are hard. Really hard.

Lots of work has been done on this topic, for example (just picking some papers I’ve read):

Without going into details, conclusive results seem to show that there are “good” and “bad” password meters. The effect of a password meter is mostly based on its evaluation algorithm - graphical features hardly matter.

Effectively, password meters do increase security. However, for many simple password meters the effect can be marginally low (studies tend to disagree a little here). More advanced password meters (such as these based on Markov Models or other advanced analysis such as including dictionaries) can show much better results, but your usability starts dropping significantly - especially if the password meter is enforced, but even non-enforced has usability implications. There’s definetly a point where loss of usability exceeds the security gain, at which point users will just attempt to circumvent your system.

So designing “the perfect password strength meter” seems like a really difficult task. I’m not saying that “you shouldn’t do this”, but this needs to be done carefully. A too simple password meter has questionable value, and a too strict one kills your usability.

In general for those who want good passwords on their syncthing UI, I highly recommend a password manager. This provides the best overall security.

2 Likes

“My bank has relatively low upper limit for password strength, while registering on some random blog will require 128 characters”

THIS. Why is it that out of all the websites out there, banks almost always have the worst password requirements? At one point my bank had a MAX of 12 characters for a password.

I agree completely that when it comes to password requirements, a light touch is the best approach. A call center I used to work at made us change our login every 60 days. Nobody is going to remember a new, complex password every other month. So most people came up with really shitty passwords that totally defeated any added security offered by frequent changes. I think a minimum of like 4 characters would be alright, with a password strength suggestion thing.

1 Like
2 Likes

I’d add that they also often restrict the allowed characters very much, so even if you do use a password manager, you need to use a custom string with a limited range, because they won’t accept any special characters beyond the very basic ones.

In my case, the banks also often require you to use a mouse to input the passwords by clicking on a special mixed-up screen keyboard, so you cannot even copy and paste them from the password manager.

Just an off-topic digression caused by seeing banks mentioned, with which I’ve got to deal on a daily basis :exploding_head:.

1 Like

This is all fascinating. I don’t think any bank in Sweden has used passwords for login since i came of banking age, ie the last 25 years. It was always OTP, first from printed sheets mailed out, then from a physical electronic token and nowadays a certificate based app thingy. (And I remember the time when paying rent meant going to the post office and standing in line to physically hand over the bill and cash to make the transfer… :greybeard:)

1 Like

I hope there is a special place in hell for the people who came up with this.

Back to topic: i’m fine with a pure cosmetical indicator. I don’t see why we should restrict something here. If the user wants to use a bad password even if we warned him, we should let him. It’s the security of his files.

1 Like

I’ve never said we should restrict users againts their will. I’ve said that restrictions should be in place, unless the user is very aware about his decision to share his home made porn with Bezos and Zuckerberg. Confirming this by explicitly going to advanced settings and enabling checkbox labeled “i want Bezos and Zuckerberg to have photos of my peepee”. not just by accidentaly clicking on some unobtrusive button in share settings.

1 Like

https://www.schneier.com/blog/archives/2021/11/why-i-hate-password-rules.html

2 Likes

Lots of replies here! Mostly about whether passwords can be characterized as good or bad and whether a user should be forced to use a good one.

  1. I liked the idea of passively giving an indication about what password has been entered, but not enforcing anything.

  2. More capricious configuration (careless, medium, high) requires a user to understand and figure out what exactly each means - I hit this annoyance all the time in Microsoft products. If planning to do this, don’t. Instead of the user choosing security with 3 levels, instead just let the user choose security with the password they choose - sans any configuration setting oversight and complication.

3 Likes

Obviously, no-one will be able to tell you unless you share the password, which would also make it invalid, so… I’d suggest to use a local password manager (e.g. KeePass), which will tell you how strong the password is.

Also, you can stumble upon some websites that let you input the password telling you how strong it is, but I personally wouldn’t trust them (i.e. not regarding the strength, but inputting your password on such a site in general is not a good security practice).