Re: How to determine passphrase entropy?

"Joseph Ashwood" <ashwood@xxxxxxx> writes:
While a perfect number is impossible, if you have a large enough set
of users you can check the passwords against each other, this gives a
distribution for general purposes.

That doesn't make any sense. Each person picks a password from their
own distribution. You can't usefully treat them as being drawn from one
monstrous distribution. There's a bunch of cheesy tests you can use to
filter out obviously bad passwords, but in the end if you're running a
high-security application, you simply can't rely on passwords for
authentication. If you're running a casual web forum or the like, you
don't have to worry too much about password entropy.

Also, checking passwords against each other isn't so good since it means
you're storing them as unsalted hashes or even in the clear.

Relevant Pages

  • Re: How to determine passphrase entropy?
    ... distribution for general purposes. ... Nothing says they have to be passwords from your system, although that would be most accurate. ... It won't have the same distribution as your audience, unless your audience is identical, but again it should be useful. ...
  • Re: pwgen: non-uniform distribution of passwords
    ... sample of pwgen'ed passwords. ... so I could not directly check the distribution of full ... passwords (1 million is too little, even compared to the small keyspace ... Hence, our distribution is non-uniform. ...
  • Re: pwgen: non-uniform distribution of passwords
    ... not that the generated passwords are distributed non-uniformly. ... Sure, there's a trade-off, but non-uniform distribution didn't have to ... different phonemes containing the same characters. ...
  • Re: How to determine passphrase entropy?
    ... unruh writes: ... likely from the user's distribution. ... We've been conflating two different attacks in this thread: 1) attacker ... attacker wants to get one or more valid passwords for system X (which ...