Re: Password entropy

["Basgen, Brian" <bbasgen () PIMA EDU>]

David,
> "1angtPalftm"
> So I'm not using it as an actual passphrase, but as a 
> mnemonic. 

 Fair enough. 62^11 gets you in the quintillion range assuming true
randomness, which would be excellent. Yet, an equation could be made for
mnemonics (for example, only 50 common English words start with the
letter 'Z', while 1,000 words start with the letter 'A', etc). It would
be interesting to see math for this.

Roger,
> the shorter phrase is stronger than the longer phrase?

 I think that is questionable. One would have to work out the entropy.
One thing to think about is that effective cracking would need to target
phrases versus passwords. Thus, one could make an argument for security
through obscurity, since most crackers target passwords (and thus
mnemonics) the phrase approach is stronger. Also, consider that
depending on the cracking approach, either each letter is a factor in
the entropy (passwords) or each word is a factor (in pass phrases): an
important difference here is that characters have a limited amount of
variation (in a good scenario, 96 variations), while words could
theoretically have 500,000 variations, which significantly alters the
math! :) In the absence of math on entropy for passphrases, I tend to
think they are stronger (and easier). 

> First off, I assume that for all practical purposes this is an academic
discussion.

 Partly, but I think this is a real problem. With modern computing
power, botnets, etc, cracking complex passwords challenges many
traditional concepts of password strength. For example, a completely
random 8 character password considering all letters, cases, numbers, and
symbols, is very easy to crack! Acouple hours on average. Considering
that true randomness is difficult to attain versus the effectiveness of
the cracking program, even those few hours can be significantly reduced.


~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College