Passphrase custom wordlist cannot be less than 4000 words

[ihesham]

Have you searched for an existing issue?

• Yes, I tried searching and reviewed the pinned issues

Brief Summary

EDIT: This issue turns out to be an intended Feature not a Bug

After many trials with several size of wordlists, I hit the exact number of entries below which the imported custom wordlist cannot generate any passphrase. Having custom wordlists with less than 4000 entries has a lots of use-cases. It cannot be ignored or marked non-secure as the entropy can obviously be compensated by increasing the length of the passphrase.

I am not sure if it's a bug or just a feature intended by the developers. I can confirm this issue was not observed in the previous version KeePassXC 2.7.9.

On a side note, I would like to sincerely thank the developers of KeePassXC for their efforts and excellent work that serves a lot of people who care much about their security and privacy.

Steps to Reproduce

1. Open KeePassXC
2. In the toolbar, click Password Generator
3. Select the Passphrase tab
4. In the Wordlist line, Goto the right, click the "+" symbol to import a custom wordlist
5. Select any text file that contain less than 4000 entries (words)
6. Click generate (the refresh arrow button) to generate a new passphrase

Expected Versus Actual Behavior

Expected Behavior: A new passphrase is generated based on the new imported file of custom wordlist

Actual Behavior: The refresh button is "greyed out" and unable to generate any new passphrase

KeePassXC Debug Information

KeePassXC - Version 2.7.10
Revision: b342be4

Qt 5.15.11
Debugging mode is disabled.

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.19045

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys
- SSH Agent
- KeeShare
- YubiKey
- Quick Unlock

Cryptographic libraries:
- Botan 3.1.1

Operating System

Windows

Linux Desktop Environment

None

Linux Windowing System

None

[droidmonkey]

This is intentional, we fixed a bug where the intent before 2.7.10 was to have a minimum of 4000 words, but it wasn't applied correctly. So smaller word lists were actually allowed, but only by accident. You are not the first to report a problem with this for 2.7.10, but I'm conflicted.

This post is the best I have seen on this topic: https://www.reddit.com/r/Passwords/comments/sqrymt/comment/hwnfb94/

I would be open to making the minimum length 1,296 since that's the EFF short list. Honestly though, it absolutely doesn't matter, just use the longer list.

[ihesham]

Thank you for your explanation. I should clarify that I wrongly thought this feature could affect the randomness of the generated passphrases. It does NOT.

However, I strongly hope and wish that you would reconsider setting the minimum length of custom wordlists to 1000 entries. Beside using the eff-short list that you mentioned, there's a lots of use-cases that may need this minimum. Except that it may reveal my private use-cases, I would have mentioned some. Your password generator can save the hassle and time of using/rolling the dice everywhere for short lists.

I have been using KeePassXC for many years. Even before fully switching to KeePassXC as a password manager, I was relying on its Password Generator feature. It is one of the most beautiful, trusted and fully costumed generators which can be relied upon.

Finally, I am not sure this is the right place for such a request. Should I open another new issue and tag it as a Feature Request?

[droidmonkey]

This is a bug, it's all the same to us anyway

[digitalsignalperson]

bip39.txt has 2048 words.
typical usage is 12 or 24 words
Are you saying 128 bits or 256 bits of entropy is not enough?

[Errant-4]

From a user perspective, the way that this just fails to generate a list makes this look like a bug. Until now, I had no clue that the reason it suddenly stopped working one day was because the eff short list was no longer considered sufficient