Re: How to determine passphrase entropy?



unruh wrote:

The question is not "what is the entropy of the passwords as an abstract
exercise" buti" what is the password entropy given the attacker's paln of
attack." Ie, it is more about the attaker. Thus if a user uses
AvjU7^%hJrtM
as their password, and the attacker has a strategy which chooses that as
as the first password to try, it has extremely low entropy given the
attacker's strategy.

Or course it is pretty unlikely that the attacker's strategy will pick
it as the first try. (unless the user for example published it on their
web page.)
The key is that there is not "entropy of a password". One can only make
reasonable assumptions about the attacker's strategy and hope it is not
too far out. Given those assumptions one can estimate the entropy.
Also, checking passwords against each other isn't so good since it means
you're storing them as unsalted hashes or even in the clear.

If there is not "entropy of a password", could there be "entropy of a
message in general"? I am afraid that the existence non-existence
of both are somehow tightly related.

M. K. Shen


.



Relevant Pages

  • Re: /dev/random on Linux
    ... things that cryptographers look for when attacking a cipher. ... of the form, "assume that the attack gains access to the pool, but has ... add_timer_randomnessfrom the extract entropy code. ... The only reason why the generic attack ...
    (Linux-Kernel)
  • Re: /dev/random on Linux
    ... things that cryptographers look for when attacking a cipher. ... of the form, "assume that the attack gains access to the pool, but has ... add_timer_randomnessfrom the extract entropy code. ... The only reason why the generic attack ...
    (Linux-Kernel)
  • Re: strengthening /dev/urandom
    ... While it may use crypto to "mix the pool" and to ... distill entropy in the input it should not depend on ... If I can use this data in an attack, ... assume that AES whatever is NOT secure. ...
    (sci.crypt)
  • Re: strengthening /dev/urandom
    ... If I can use this data in an attack, ... "Blocking on more entropy input exposes traffic analysis of event ... "Assuming AES256/SHA256 are secure is a bad judgment." ... > a hobby, not a crypto expert. ...
    (sci.crypt)
  • Re: new /dev/random
    ... > is said to contain 40 bits of entropy if I could, ... > efficient attack would be to try the exhaustive search on the seed. ... > than the PRNG: evolution of computer science (the robustness of the ... > because, for a given length of random bits requested, the RNG will have ...
    (sci.crypt)