Educause Security Discussion mailing list archives
Re: Password entropy
From: Graham Toal <gtoal () UTPA EDU>
Date: Mon, 24 Jul 2006 08:46:14 -0500
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] On Fri, 21 Jul 2006 08:26:59 CDT, Graham Toal said:I'm not real clear on the "entropy" concept but it hassomething todo with the pattern?I'm not sure it's the right word in this context, but Ibelieve thisis what they're talking about:Actually, it *is* the right word, and you're basically correct but managed to avoid saying *why* you're correct...
It was only a nitpick; Coming from a compression background, I would have described this as Shannon's "information content" rather than entropy. They're equivalent, but one is a degree of order and the other is a degree of disorder :-) Good writeup by the way, one for the FAQ.
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU]
Does only English suffer from this problem, and would it make a stronger passphrase to use one non-English word in your phrase?
Actually I've done some stats on things like this because one of my hobbies is word gaming, and English is a little higher than many languages because we're more of a bastard language than most, with many loan words and a language derived from several other languages (we have words with latin roots, germanic roots, and sometimes french, italian and spanish derived versions of the same word!) However in this context it is irrelevant, because unless you are doing a wholly enumerated attack (eg rainbow tables, attacking words, rather than phrases) what the hackers are doing is working from word lists, and believe me there are extensive word lists available on the net for almost every language you can think of. I was quite disappointed the day I found a Gaelic word list on the net and had to change all my passwords :-/ (that was some time back, I don't use plain words any more) They generally throw all the word lists together into one big multi-lingual melting pot, so mixing languages doesn't really help, sorry.
I already assume that one misspelling or other non-dictionary portion
of the
phrase really adds considerable strength.
Not really, because the password cracking programs typically take their dictionary words, and apply 1 or 2 misspellings to them. If you use a commonly-known system of misspelling (or rather rewriting) such as '1334-speak, they'll handle them in almost no extra time.
From: Paul Russell [mailto:prussell () ND EDU] Much of this discussion seems to have focused on the lack of entropy in English-language words and phrases. Both suffer from the predictability of letter sequences. Does entropy increase if the 'word' consists of the first (or last) letters of a phrase? Does it increase further if non-alphabetic characters are substituted for letters?
Only until hackers start using programs which have a database of well-known phrases. I would imagine that currently, any famous quotation would be hackable (even though there may not yet be a program to do so) because there are lots of databases of famous quotations on the net; as more works of literature are scanned and put online, I would expect the pass phrase to lose value just as the keyword has. Maybe it has another 10 years ahead of it but not much more. And no, if a hacker has a database containing your phrase, neither chosing the first or the last letter of each word is not going to help. Their cracking program will undoubtedly try both. Graham
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
(Thread continues...)