Re: Password entropy

["Basgen, Brian" <bbasgen () PIMA EDU>]

> something like "1 am not going to PAY a lot for the 
> muffler!".  It's easy to remember, it's much longer, and 
> therefore much stronger, and it has a reasonable character 
> set combination.

 Your quote above represents a mix of letters, case, numerals, and
symbols. Assuming true randomness, that accounts for 96 characters
possible, and you have 44 characters shown, which is 1.6 x 10^87 (a
vigintillion). Mixing characters often gives a false sense of security
due to math that assumes randomness. 

 Since English has 500,000 words, a combination of just four words would
give us 6.25 x 10^22 (sextillion) which is a great place to be for
entropy. But even here, is the assumption of randomness correct? I don't
think so.

 If we go on the assumption that most English speakers have a vocabulary
of 50,000 words, and thus that users will create passwords for words
they already know (thus the easy memorization argument), then a fifth
word is required to produce great entropy (3.125 x 10^23).

 Yet, when dealing with sextillion combinations, wouldn't the rules of
grammar restrict the amount of combinations? I don't know what that math
would look like, but it seems that is a reasonable way to answer this
debate between passwords and passphrases. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College