Educause Security Discussion mailing list archives
Re: Password entropy
From: Graham Toal <gtoal () UTPA EDU>
Date: Fri, 21 Jul 2006 08:26:59 -0500
I'm not real clear on the "entropy" concept but it has something to do with the pattern?
I'm not sure it's the right word in this context, but I believe this is what they're talking about: if you have an 8 character password and the characters are chosen randomly, and each character is only lower case alphabetic, then the number of possible passwords available is 26^8 Now lets look at a pass phrase. Say we allow 3 words - this is far more than 8 characters so a naive calculation based solely on character length would say this is stronger. But in fact we've limited each unit of our 'alphabet' to be an English word, of which (let's say) there are 100,000. So the strength of a 3-word passphrase might be 100,000^3 However unless you're really stretching your vocabulary, those words are probably taken from your active vocabulary, which might be only 10,000 words, so the strength is only 10,000^3 But what is worse is that there is a pattern involved: to make it easier to remember, you use a grammatically correct phrase, such as "subject verb object". Lets say our vocabulary has 9000 nouns and 1000 verbs, then our password space is only 9000*1000*9000. This is far easier to crack. It is this reduction in strength which I think some of the posters were saying that the password strength calculator (which I haven't seen myself so this may not in fact be true) doesn't take into account. By the way, this is why pass phrases have to be quite long to have equivalent strength to a password. (Now, the entropy of a random number source is something quite different, and I think in that case entropy is the right word to use. I'll be happy to talk about random numbers in the context of random password generation if anyone is considering implementing one of these, as this is the biggest source of weakness in generated passwords) Graham
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
(Thread continues...)