Heine

  • Home
  • Drupal
  • About
Home

Teampassword manager's password generator is biased

Heine —Wed, 2021/07/07 - 16:42

While testing the password generator of the password manager TeamPasswordManager I noticed that the frequency distribution of characters deviates from expectations. So much so even, that it is quite obvious on visual inspection.

To reproduce, (a demo is available at https://teampasswordmanager.com/demo/);

Set the password manager to generate passwords with a-z, A-Z, 0-9 and Symbol, with '.' as the symbol list (so, 63 chars in total), then generate a large amount of passwords.

When I generated passwords consisting of in total 1500 characters, I counted the number of dot symbols (.) in the passwords. There were 583 dots on 1500 characters (about 1/3) total. I'd expect only about 24 (or about 1/63) of those. In reality we see that about 1/3 of the total is a symbol.

Similarly, if only a-z, A-Z and 0-9 are enabled, out of 1500 chars total, 732 (about 1/2) were numbers. I'd expect about 242 (or 10/62).

This suggests that the generator rolls a dice to select a character group and then selects a character from that group, where a-z and A-Z are grouped together. This results in passwords that are much weaker than necessary especially when character groups do not have the same length.

For strong passwords I'd expect that all symbols from all character groups would be part of the same pool from which random selection would draw.

The issue remains unfixed since 2018. To remedy this in your own installation, ensure the Symbols group contains as many symbols as present in the A-Za-z set, and do not use the 0-9 option, but enter the numbers in the Symbols group instead.

Timeline of the issue:

  • 2018-07-09: Initial report
  • 2018-07-09: Response from TeamPasswordManager with a proposal to fix
  • 2018-07-10: Reply with my thoughts on the fix + a sample implemention of a generator
  • 2018-07-10: Response from TeamPasswordManager that they will consider one of the proposed solutions
  • 2021-07-07: Verified the issue still persists in the demo, published
  • Security
  • TeampasswordManager
  • Disclosure

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About