Re: How to determine passphrase entropy?
 From: MokKong Shen <mokkong.shen@xxxxxxxxxxx>
 Date: Mon, 24 May 2010 23:58:08 +0200
unruh wrote:
The question is not "what is the entropy of the passwords as an abstract
exercise" buti" what is the password entropy given the attacker's paln of
attack." Ie, it is more about the attaker. Thus if a user uses
AvjU7^%hJrtM
as their password, and the attacker has a strategy which chooses that as
as the first password to try, it has extremely low entropy given the
attacker's strategy.
Or course it is pretty unlikely that the attacker's strategy will pick
it as the first try. (unless the user for example published it on their
web page.)
The key is that there is not "entropy of a password". One can only make
reasonable assumptions about the attacker's strategy and hope it is not
too far out. Given those assumptions one can estimate the entropy.
Also, checking passwords against each other isn't so good since it means
you're storing them as unsalted hashes or even in the clear.
If there is not "entropy of a password", could there be "entropy of a
message in general"? I am afraid that the existence nonexistence
of both are somehow tightly related.
M. K. Shen
.
 FollowUps:
 Re: How to determine passphrase entropy?
 From: Phoenix
 Re: How to determine passphrase entropy?
 From: unruh
 Re: How to determine passphrase entropy?
 From: Gordon Burditt
 Re: How to determine passphrase entropy?
 References:
 How to determine passphrase entropy?
 From: Nomen Nescio
 Re: How to determine passphrase entropy?
 From: Joseph Ashwood
 Re: How to determine passphrase entropy?
 From: Paul Rubin
 Re: How to determine passphrase entropy?
 From: unruh
 How to determine passphrase entropy?
 Prev by Date: Re: How to determine passphrase entropy?
 Next by Date: Re: How to determine passphrase entropy?
 Previous by thread: Re: How to determine passphrase entropy?
 Next by thread: Re: How to determine passphrase entropy?
 Index(es):
Relevant Pages
