Adjust site password strength meter

to account for modulo bias. The number of guesses an adversary needs is reduced by 4% with the default settings and 25% in the worst case.
alanhkarp · Jun 10, 2024 · 3564dee · 3564dee
1 parent 23596f4
commit 3564dee
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 0 deletions.
diff --git a/SitePassword-V3.zip b/SitePassword-V3.zip
diff --git a/notes/SitePassword.pages b/notes/SitePassword.pages
diff --git a/src/ssp.js b/src/ssp.js
@@ -881,6 +881,8 @@ function setMeter(which) {
     let guesses = getGuesses(which);
     // 10^9 guesses per second, 3*10^7 seconds per year, average success in 1/2 the tries
     let years = guesses/(1e9*3e7*2);
+    // Adjust site password for modulus bias
+    if (which === "sitepw") years *= 1 - (256%characters(bg.settings).length)/256;
     if (which === "superpw") years /= 16*1024; // So the superpw will have more entropy than the site password
     let score = getScore(years);
     let index = Math.floor(score/5);