Educause Security Discussion mailing list archives
Re: Password entropy
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 20 Jul 2006 15:28:31 -0700
Roger,
Just to be clear, I think he accounts for this as well, on line 6 of his sheet. At least I *think* he does. My reading is he reduces the time to crack by 90% assuming users make poor choices.
Right, this is where I think he is being misleading, because his equation doesn't allow for an entropy variable. You are right in that is how he is using it, but I don't think he is being accurate via the assumptions he has made. Since brute force is about trying every possible variable, and has nothing to do with pattern matching, it is a random (sic) process. Therefore, the randomness of the password is irrelevant. Since he has no basis to make entropy of password relevant, he is being misleading, and his conclusion about passphrases is therefore poorly founded. I recommend changing his randomness to 100% (1.00), and calling that an optimistic view of the absolute maximum time to crack a password. It is important to understand that while a password with weak entropy would significantly decline the value given by his sheet, you can't quantify that declination with this excel sheet (with a potential for a large variation). Thus, this represents only a "ceiling" view, of the worst, slowest method to crack a given password. Creating a realistic view requires accounting for the phrase matching ability of the cracking versus the password entropy, which is very challenging. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
(Thread continues...)