Educause Security Discussion mailing list archives

Re: Password entropy

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 25 Jul 2006 10:39:15 -0700

So, just to be clear, a 12 character passphrase, depending on 
the distribution of special characters, capitalization, etc. 
is likely to fall into the 80 bit "strong enough" bucket.  Yes?


 Keep in mind there are different ways to do this math. Valdis brought
up one method -- measurement by bits of entropy, so we'll use that (the
SANS spreadsheet uses a different method that has nothing to do with
entropy).

 Bits are '0' or '1'. In math this is a base of '2'. 8 bits are in a
byte, and thus our total combinations are 2^8 = 256. For *one character*
to have 6 bits of entropy (e.g. that one character could be any
lowercase, uppercase, or number), the math is 2^6 = 64.  

 This at first seems strange, because we think that every character is a
byte! So, how can we talk about one character being less than a byte?
Our total combinations in the byte are 256 (2^8), but the ASCII
character table is pretty small: it does not use all that space.
Further, some of what it uses are control characters, etc. 

 Your example of 95 total characters (*all* 33 symbols added), is really
the full ASCII character table as we know it. We can thus say this is
represented by 6.5 bits.

 Traditional password advice relies on the math where 6.5 bits (e.g.
encompassing all 95 characters) x an 8 character length = 52 bits of
entropy. Traditionally, this was seen as strong. If you move that out 12
characters, you have 12 x 6.5 = "78 bits of entropy".

 Now, math gives us bigger numbers than reality, and we've talked about
this a bunch, and it is a tough thing to figure out. The math assumes
you have pure randomness, so we are talking about some nasty looking 12
character passwords with periods, pipes, brackets, etc. If you just tell
users to pick "one symbol, one number, etc", users will pick passwords
where that 6.5 bits of randomness is more like 4 bits. As I said, if you
are looking for real strength in passwords, two-factor authentication is
the way to go. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
- Re: Password entropy Valdis Kletnieks (Jul 25)