How to determine passphrase entropy?
in [Cryptography]
|
From: starwars on 24 May 2010 04:26 Thank you for the explanation.
From: Anonymous on 24 May 2010 05:33 > Nomen Nescio <nobody(a)dizum.com> writes: > > If we consider a password of n characters, given the user will probably > > likely enter only alpha characters and numbers and a small set of > > characters like @#$ etc. how do we calculate the actual entropy of the > > password? Thanks. > > If you mean a password supplied by the user, it is drawn from an unknown > distribution so there is no way for a program to compute or estimate the > entropy. If you want a password with known entropy, you have to > generate it from a known distribution (i.e. with an RNG) and assign it > to the user. Shouldn't we be able to calculate a worst case and at least say what the maximum possible entropy could be given there's only a finite set of characters used in the n character passphrase? I'm looking at weaknesses in user passwords not trying to generate a password of known entropy.
From: Paul Rubin on 24 May 2010 06:34 Anonymous <cripto(a)ecn.org> writes: > Shouldn't we be able to calculate a worst case and at least say what the > maximum possible entropy could be given there's only a finite set of > characters used in the n character passphrase? I'm looking at weaknesses in > user passwords not trying to generate a password of known entropy. The maximum entropy as worst case for brute force search? Sure, you can calculate that the obvious way, H=log2(k**n) where k is the size of the alphabet. But that is pretty useless, especially since the searcher won't normally know the length of the passphrase (it could be very long). The usual reason people want to estimate password entropy is for those stupid password-strength checkers that prevent users from setting passwords fewer than n characters, etc. In that situation, the max entropy above is the best case, not the worst, and it is unrealistic to hope for if the users get to pick the password themselves.
From: Maaartin on 24 May 2010 08:23 On May 24, 12:34 pm, Paul Rubin <no.em...(a)nospam.invalid> wrote: > The maximum entropy as worst case for brute force search? Sure, you can > calculate that the obvious way, H=log2(k**n) where k is the size of the > alphabet. But that is pretty useless, especially since the searcher > won't normally know the length of the passphrase (it could be very long). I wonder how closely is the expected time of brute force search related to the entropy. Imagine me picking a 10 characters random password consisting of letters only, where I'm biased 80:20 against capitals. The entropy is only 54 bits instead of 57, does it mean the search takes 8 times less?
From: Joseph Ashwood on 24 May 2010 08:22
"Paul Rubin" <no.email(a)nospam.invalid> wrote in message news:7xocg520ml.fsf(a)ruckus.brouhaha.com... > "Joseph Ashwood" <ashwood(a)msn.com> writes: >> While a perfect number is impossible, if you have a large enough set >> of users you can check the passwords against each other, this gives a >> distribution for general purposes. > > That doesn't make any sense. Each person picks a password from their > own distribution. You can't usefully treat them as being drawn from one > monstrous distribution. Absolutely, for a particular individual there will be very significant bias, and having significant knowledge of the target will change the distribution. However, in a general situation, having such knowledge is unlikely. Anyone looking for my password would likely have some knowledge of the distribution, but someone looking for a password is not able to use that information. So certainly it isn't perfect, but I do believe it gives a useful number. > Also, checking passwords against each other isn't so good since it means > you're storing them as unsalted hashes or even in the clear. Nothing says they have to be passwords from your system, although that would be most accurate. Several large userbase websites have had their passwords compromised, and these lists are available. It won't have the same distribution as your audience, unless your audience is identical, but again it should be useful. There's a very good reason I said "a perfect number is impossible" Joe |