mirrors/keepassxc
1
0
Fork 0
mirror of https://github.com/keepassxreboot/keepassxc.git synced 2025-04-03 20:47:37 +03:00
Code Issues Projects Releases Packages Wiki Activity

Prevent duplicate entries in passphrase wordlists

Browse source 
Replace a QVector for the wordlist with a QSet. This removes all duplicate entries in a given wordlist.
Thus, it hinders a malicious wordlist that has the proper length (>4000 entries) but with repetitions (effectively << 4000 entries) to be used and potentially create weaker passphrases than estimated.

Example:
List with 4000 items but only 64 unique words would lead to only 48 bit of Entropy instead of ~95 bit!
This commit is contained in:
christianwengert 2024-06-28 11:24:44 +02:00 committed by Jonathan White
parent 9b4e6b4e11
commit c7d318236f
8 changed files with 47 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/TestCli.cpp
View file

@ -1088,7 +1088,7 @@ void TestCli::testDiceware()
smallWordFile.close();
execCmd(dicewareCmd, {"diceware", "-W", "11", "-w", smallWordFile.fileName()});
QCOMPARE(m_stderr->readLine(), QByteArray("The word list is too small (< 1000 items)\n"));
QCOMPARE(m_stderr->readLine(), QByteArray("Cannot generate valid passphrases because the wordlist is too short\n"));
}
void TestCli::testEdit()

16
tests/TestPassphraseGenerator.cpp
View file

@ -16,6 +16,7 @@
*/
#include "TestPassphraseGenerator.h"
#include "config-keepassx-tests.h"
#include "core/PassphraseGenerator.h"
#include "crypto/Crypto.h"
@ -52,3 +53,18 @@ void TestPassphraseGenerator::testWordCase()
QRegularExpression regex("^(?:[A-Z][a-z-]* )*[A-Z][a-z-]*$");
QVERIFY2(regex.match(passphrase).hasMatch(), qPrintable(passphrase));
}
void TestPassphraseGenerator::testUniqueEntriesInWordlist()
{
PassphraseGenerator generator;
// set the limit down, so we don;t have to do a very large file
generator.m_minimum_wordlist_length = 4;
// link to bad wordlist
QString path = QString(KEEPASSX_TEST_DATA_DIR).append("/wordlists/bad_wordlist_with_duplicate_entries.wordlist");
// setting will work, it creates the warning however, and isValid will fail
generator.setWordList(path);
// so this fails
QVERIFY(!generator.isValid());
}

1
tests/TestPassphraseGenerator.h
View file

@ -27,6 +27,7 @@ class TestPassphraseGenerator : public QObject
private slots:
void initTestCase();
void testWordCase();
void testUniqueEntriesInWordlist();
};
#endif // KEEPASSXC_TESTPASSPHRASEGENERATOR_H

4
tests/data/wordlists/bad_wordlist_with_duplicate_entries.wordlist Normal file
View file

@ -0,0 +1,4 @@
abacus
abdomen
abdominal
abdominal