Enpass uses openssl RAND_bytes for generating cryptographically secure random data.
Using unique passwords for each website is first and foremost step toward security. Enpass comes with an handy password generator built in. It can generate both pronounceable and random passwords. Pronounceable passwords are generated with Diceware methodology using a 14400 word dictionary. More details about Diceware are described here.
Password Strength Estimation¶
Entropy is a measure of password strength. Enpass uses Zxcvbn for calculation of entropy of random passwords. More details about zxcvbn are here.
If a password is pronounceable, Enpass calculate both Zxcvbn and Diceware entropy and least of them will be used to show strength. Strength meter is calibrated for following corresponding entropy to display values.
Entropy Strength <35 Very poor 35-50 Weak 50-70 Average 70-100 Good >100 Excellent
Pwn Password Checker¶
Enpass lets you check your passwords against the list of breached passwords managed by Troy Hunt’s Have I Been Pwned service. It’s a trustworthy procedure, ensuring that your passwords are safe in Enpass and never sent to the internet. It works on the k-Anonymity model where the first five characters of your SHA1 hashed password (the 40- haracter hash created from your password) are sent to www.haveibeenpwned.com. In response, it sends the list of all the leaked passwords starting with those same five characters. Enpass then locally compares the passwords’ hash to the list, and if it finds any matching password, you get a warning that the password has been leaked on the internet and must never be used.