Teampassword manager's password generator is biased
Heine Wed, 2021/07/07 - 16:42
While testing the password generator of the password manager TeamPasswordManager I noticed that the frequency distribution of characters deviates from expectations. So much so even, that it is quite obvious on visual inspection.
To reproduce, (a demo is available at https://teampasswordmanager.com/demo/);
Set the password manager to generate passwords with a-z, A-Z, 0-9 and Symbol, with '.' as the symbol list (so, 63 chars in total), then generate a large amount of passwords.
When I generated passwords consisting of in total 1500 characters, I counted the number of dot symbols (.) in the passwords. There were 583 dots on 1500 characters (about 1/3) total. I'd expect only about 24 (or about 1/63) of those. In reality we see that about 1/3 of the total is a symbol.
Similarly, if only a-z, A-Z and 0-9 are enabled, out of 1500 chars total, 732 (about 1/2) were numbers. I'd expect about 242 (or 10/62).
This suggests that the generator rolls a dice to select a character group and then selects a character from that group, where a-z and A-Z are grouped together. This results in passwords that are much weaker than necessary especially when character groups do not have the same length.
For strong passwords I'd expect that all symbols from all character groups would be part of the same pool from which random selection would draw.
The issue remains unfixed since 2018. To remedy this in your own installation, ensure the Symbols group contains as many symbols as present in the A-Za-z set, and do not use the 0-9 option, but enter the numbers in the Symbols group instead.
Timeline of the issue:
- 2018-07-09: Initial report
- 2018-07-09: Response from TeamPasswordManager with a proposal to fix
- 2018-07-10: Reply with my thoughts on the fix + a sample implemention of a generator
- 2018-07-10: Response from TeamPasswordManager that they will consider one of the proposed solutions
- 2021-07-07: Verified the issue still persists in the demo, published