Re: Password entropy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 12:18 PM 7/20/2006, Basgen, Brian put fingers to keyboard and wrote:
> Nice find! The sheet is 2 years old, so the processing numbers need to
> be updated, and  the sheet is misleading about entropy, since he is
> assuming a password cracker that uses brute force. On that assumption,
> entropy is near 99%, excepting that even a 'random' brute force crack is
> not exactly random. Thus, his comparison to pass phrases is equally
> problematic. In other words, it is challenging to account for real world
> math on password crackers without being accurate as to the cracking
> method (pattern matching in particular, which all modern crackers do in
> some form), and thus his generic approach misses that real-world gap
> while creating a false theoretical gap with the entropy variable.

Just to be clear, I think he accounts for this as well, on line 6
of his sheet.  At least I *think* he does.  My reading is he reduces
the time to crack by 90% assuming users make poor choices.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"