How can I calculate the entropy reduction in my system I'm going to introduce?

Question

I am the creator of LessPass, a deterministic password generator.

The core of LessPass is not very complicated.

I have 2 methods calc_entropy and render_password:

calc_entropy transforms the master password + site + login into a very large integer that I call entropy (I don't know if it's the right term, but it represents my amount of randomness in my system). It uses pbkdf2 100k iterations.

render_password uses/consumes this entropy. I have a loop that comes to pick a character from a list of desired characters thanks to the remainder of a long division.

To be sure to have a char for each rule (lowercase, uppercase, digits, symbols) I always pick 1 character for each rule and I insert it in a pseudo-random way in the generated password.

The detail of the algo with an example is available here.

---

LessPass allows its users to save on a server profiles for their generated passwords to avoid remembering sites rules. A profile looks like this:

{
    "login": "my_login",
    "site": "www.exemple.org",
    "lowercase": false,
    "uppercase": false,
    "symbols": false,
    "digits": true,
    "counter": 1,
    "length": 6
}

I would like to introduce a new functionality by allowing the import of passwords from other password managers.

Imagine that my old password for www.example.org is foobar.

I can generate a very large number which after passing in the function render_password generated the password foobar (randomly generated entropy).

I would like to store in the password profile the difference between the actual entropy and a randomly generated entropy which goes through render_password generates foobar.

To generate the old password, I calculate the entropy, apply the diff then render the password.

I did a naive poc here

If you have read me so far thank you!

---

My question: to what extent do I increase the brutuceforcability of the master password if an attacker stole the LessPass database (he knows the diff) and stole the user's password (he knows foobar) compared just knowing the foobar password?

Answer 1

So basically, this is a form of plain-text attack against your algorithm.

The question is how easy it is to guess your integer. If I know "foobar" and the new password, then I can create a set of equations that try to determine the original integer. As long as the integer is larger (in qty bits) than the password (the actual information in the password), then I can never really calculate the actual integer.

I might, however, get enough information to make the integer 'less random'. That sounds abstract, but let me give a very simple example.

I try to determine the value of x, which is an element of [1 - 10]. The original brute force would need me to test 10 values. However, I know that the remainder of x/3=2. That means that x is an element of {2,5,8}. So I now have to test 3 values, instead of 10.

How that exactly works out for your algorithm, and whether you have sufficient entropy left requires quite a bit of calculation in the realm of information theory. And to be honest, my information theory is a bit too rusty for this.

Another question is whether the entropy is sufficient. Compared to what? A completely random password? or "qwerty123"?

I realize that I have not answered your question, but instead made the problem slightly larger. Or I may even have completely misunderstood the question. Sorry for that.