Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Thu, 20 Jul 2006 13:08:48 -0500
At 12:18 PM 7/20/2006, Basgen, Brian put fingers to keyboard and wrote:
Nice find! The sheet is 2 years old, so the processing numbers need to be updated, and the sheet is misleading about entropy, since he is assuming a password cracker that uses brute force. On that assumption, entropy is near 99%, excepting that even a 'random' brute force crack is not exactly random. Thus, his comparison to pass phrases is equally problematic. In other words, it is challenging to account for real world math on password crackers without being accurate as to the cracking method (pattern matching in particular, which all modern crackers do in some form), and thus his generic approach misses that real-world gap while creating a false theoretical gap with the entropy variable.
Just to be clear, I think he accounts for this as well, on line 6 of his sheet. At least I *think* he does. My reading is he reduces the time to crack by 90% assuming users make poor choices. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
(Thread continues...)