Re: Password entropy

["Basgen, Brian" <bbasgen () PIMA EDU>]

Roger,

> Just to be clear, I think he accounts for this as well, on 
> line 6 of his sheet.  At least I *think* he does.  My reading 
> is he reduces the time to crack by 90% assuming users make 
> poor choices.

 Right, this is where I think he is being misleading, because his
equation doesn't allow for an entropy variable. You are right in that is
how he is using it, but I don't think he is being accurate via the
assumptions he has made. 

 Since brute force is about trying every possible variable, and has
nothing to do with pattern matching, it is a random (sic) process.
Therefore, the randomness of the password is irrelevant. Since he has no
basis to make entropy of password relevant, he is being misleading, and
his conclusion about passphrases is therefore poorly founded.

 I recommend changing his randomness to 100% (1.00), and calling that an
optimistic view of the absolute maximum time to crack a password. It is
important to understand that while a password with weak entropy would
significantly decline the value given by his sheet, you can't quantify
that declination with this excel sheet (with a potential for a large
variation). Thus, this represents only a "ceiling" view, of the worst,
slowest method to crack a given password. Creating a realistic view
requires accounting for the phrase matching ability of the cracking
versus the password entropy, which is very challenging. 
 
~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College