Educause Security Discussion mailing list archives
Re: Password entropy
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 19 Jul 2006 10:30:11 -0700
something like "1 am not going to PAY a lot for the muffler!". It's easy to remember, it's much longer, and therefore much stronger, and it has a reasonable character set combination.
Your quote above represents a mix of letters, case, numerals, and symbols. Assuming true randomness, that accounts for 96 characters possible, and you have 44 characters shown, which is 1.6 x 10^87 (a vigintillion). Mixing characters often gives a false sense of security due to math that assumes randomness. Since English has 500,000 words, a combination of just four words would give us 6.25 x 10^22 (sextillion) which is a great place to be for entropy. But even here, is the assumption of randomness correct? I don't think so. If we go on the assumption that most English speakers have a vocabulary of 50,000 words, and thus that users will create passwords for words they already know (thus the easy memorization argument), then a fifth word is required to produce great entropy (3.125 x 10^23). Yet, when dealing with sextillion combinations, wouldn't the rules of grammar restrict the amount of combinations? I don't know what that math would look like, but it seems that is a reasonable way to answer this debate between passwords and passphrases. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
Current thread:
- Re: Password entropy Basgen, Brian (Jul 19)
- <Possible follow-ups>
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
(Thread continues...)