Re: How to determine passphrase entropy?
- From: Paul Rubin <no.email@xxxxxxxxxxxxxx>
- Date: Mon, 24 May 2010 00:57:06 -0700
"Joseph Ashwood" <ashwood@xxxxxxx> writes:
While a perfect number is impossible, if you have a large enough set
of users you can check the passwords against each other, this gives a
distribution for general purposes.
That doesn't make any sense. Each person picks a password from their
own distribution. You can't usefully treat them as being drawn from one
monstrous distribution. There's a bunch of cheesy tests you can use to
filter out obviously bad passwords, but in the end if you're running a
high-security application, you simply can't rely on passwords for
authentication. If you're running a casual web forum or the like, you
don't have to worry too much about password entropy.
Also, checking passwords against each other isn't so good since it means
you're storing them as unsalted hashes or even in the clear.
.
- Follow-Ups:
- Re: How to determine passphrase entropy?
- From: unruh
- Re: How to determine passphrase entropy?
- From: Mok-Kong Shen
- Re: How to determine passphrase entropy?
- From: Joseph Ashwood
- Re: How to determine passphrase entropy?
- References:
- How to determine passphrase entropy?
- From: Nomen Nescio
- Re: How to determine passphrase entropy?
- From: Joseph Ashwood
- How to determine passphrase entropy?
- Prev by Date: Re: How to determine passphrase entropy?
- Next by Date: Re: How to determine passphrase entropy?
- Previous by thread: Re: How to determine passphrase entropy?
- Next by thread: Re: How to determine passphrase entropy?
- Index(es):
Relevant Pages
|
