# Re: How to determine passphrase entropy?

*From*: unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx>*Date*: Mon, 24 May 2010 21:38:31 GMT

On 2010-05-24, Paul Rubin <no.email@xxxxxxxxxxxxxx> wrote:

"Joseph Ashwood" <ashwood@xxxxxxx> writes:

While a perfect number is impossible, if you have a large enough set

of users you can check the passwords against each other, this gives a

distribution for general purposes.

That doesn't make any sense. Each person picks a password from their

own distribution. You can't usefully treat them as being drawn from one

monstrous distribution. There's a bunch of cheesy tests you can use to

filter out obviously bad passwords, but in the end if you're running a

high-security application, you simply can't rely on passwords for

authentication. If you're running a casual web forum or the like, you

don't have to worry too much about password entropy.

The question is not "what is the entropy of the passwords as an abstract

exercise" buti" what is the password entropy given the attacker's paln of

attack." Ie, it is more about the attaker. Thus if a user uses

AvjU7^%hJrtM

as their password, and the attacker has a strategy which chooses that as

as the first password to try, it has extremely low entropy given the

attacker's strategy.

Or course it is pretty unlikely that the attacker's strategy will pick

it as the first try. (unless the user for example published it on their

web page.)

The key is that there is not "entropy of a password". One can only make

reasonable assumptions about the attacker's strategy and hope it is not

too far out. Given those assumptions one can estimate the entropy.

Also, checking passwords against each other isn't so good since it means.

you're storing them as unsalted hashes or even in the clear.

**Follow-Ups**:**Re: How to determine passphrase entropy?***From:*Paul Rubin

**Re: How to determine passphrase entropy?***From:*Mok-Kong Shen

**References**:**How to determine passphrase entropy?***From:*Nomen Nescio

**Re: How to determine passphrase entropy?***From:*Joseph Ashwood

**Re: How to determine passphrase entropy?***From:*Paul Rubin

- Prev by Date:
**Re: How to determine passphrase entropy?** - Next by Date:
**Re: How to determine passphrase entropy?** - Previous by thread:
**Re: How to determine passphrase entropy?** - Next by thread:
**Re: How to determine passphrase entropy?** - Index(es):