Re: Password entropy

[Graham Toal <gtoal () UTPA EDU>]

> From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
> On Fri, 21 Jul 2006 08:26:59 CDT, Graham Toal said:
> > > I'm not real clear on the "entropy" concept but it has 
> something to 
> > > do with the pattern?
> >
> > I'm not sure it's the right word in this context, but I 
> believe this 
> > is what they're talking about:
>
> Actually, it *is* the right word, and you're basically 
> correct but managed to avoid saying *why* you're correct...

It was only a nitpick; Coming from a compression background,
I would have described this as Shannon's "information content"
rather than entropy.  They're equivalent, but one is a degree
of order and the other is a degree of disorder :-)

Good writeup by the way, one for the FAQ.

> From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] 

> Does only English suffer from this problem, and would it make 
> a stronger passphrase to use one non-English word in your phrase?

Actually I've done some stats on things like this because one of
my hobbies is word gaming, and English is a little higher than many
languages because we're more of a bastard language than most, with
many loan words and a language derived from several other languages
(we have words with latin roots, germanic roots, and sometimes french,
italian and spanish derived versions of the same word!)  However in
this context it is irrelevant, because unless you are doing a wholly
enumerated attack (eg rainbow tables, attacking words, rather than
phrases) what the hackers are doing is working from word lists, and
believe me there are extensive word lists available on the net for
almost every language you can think of.  I was quite disappointed the
day I found a Gaelic word list on the net and had to change all my
passwords :-/  (that was some time back, I don't use plain words
any more)

They generally throw all the word lists together into one big
multi-lingual melting pot, so mixing languages doesn't really help,
sorry.

> I already assume that one misspelling or other non-dictionary portion
of the
> phrase really adds considerable strength.

Not really, because the password cracking programs typically take
their dictionary words, and apply 1 or 2 misspellings to them.
If you use a commonly-known system of misspelling (or rather rewriting)
such as '1334-speak, they'll handle them in almost no extra time.

> From: Paul Russell [mailto:prussell () ND EDU] 
> Much of this discussion seems to have focused on the lack of 
> entropy in English-language words and phrases. Both suffer 
> from the predictability of letter sequences. Does entropy 
> increase if the 'word' consists of the first (or last) 
> letters of a phrase? Does it increase further if 
> non-alphabetic characters are substituted for letters?

Only until hackers start using programs which have a database
of well-known phrases.  I would imagine that currently, any famous
quotation would be hackable (even though there may not yet be a
program to do so) because there are lots of databases of famous
quotations on the net; as more works of literature are scanned
and put online, I would expect the pass phrase to lose value
just as the keyword has.  Maybe it has another 10 years ahead of
it but not much more.

And no, if a hacker has a database containing your phrase, neither
chosing the first or the last letter of each word is not going to
help.  Their cracking program will undoubtedly try both.


Graham