**Sean R. Lynch ☑️** .org · 4. Apr 2018, 17:40

**Sean R. Lynch ☑️** .org · 4. Apr 2018, 17:40

Sean R. Lynch ☑️ .org

In an excellent example of how password strength meters make you LESS secure, the Thycotic Secret Server calls a 73 character OAUTH access token "weak" because it only has lowercase letters and hex digits. And I'm supposed to trust this company to protect my secrets?

**Hallå Kitteh** .heldscal.la · 4. Apr 2018, 17:45

**Hallå Kitteh** .heldscal.la · 4. Apr 2018, 17:45

@seanl "You have the same character twice in succession. Your password is not safe."

**⚒️Thor, the Norseman⚒️** · 4. Apr 2018, 18:18

**⚒️Thor, the Norseman⚒️** · 4. Apr 2018, 18:18

@clacke @seanl I sort of like the security metric used in apps like KeePass. They basically compress the password and see how small they can make it, and that's the number of bits of entropy. I find it clever, because compression algorithms are designed to strip away everything that's predictable. The better the algorithm, the closer the output bitstream is to only encoding the entropy.

**⚒️Thor, the Norseman⚒️** · 2018-04-04T18:20:39Z

⚒️Thor, the Norseman⚒️

@seanl @clacke Of course, it's not so good with predicting dictionary attacks, unless the symbol table of the compressor is primed with dictionary words first. For all I know, they already do that.

4. Apr 2018, 18:20 · Amaroq · 0 · 0