Re: How to determine passphrase entropy?



On 2010-05-24, Paul Rubin <no.email@xxxxxxxxxxxxxx> wrote:
"Joseph Ashwood" <ashwood@xxxxxxx> writes:
While a perfect number is impossible, if you have a large enough set
of users you can check the passwords against each other, this gives a
distribution for general purposes.

That doesn't make any sense. Each person picks a password from their
own distribution. You can't usefully treat them as being drawn from one
monstrous distribution. There's a bunch of cheesy tests you can use to
filter out obviously bad passwords, but in the end if you're running a
high-security application, you simply can't rely on passwords for
authentication. If you're running a casual web forum or the like, you
don't have to worry too much about password entropy.


The question is not "what is the entropy of the passwords as an abstract
exercise" buti" what is the password entropy given the attacker's paln of
attack." Ie, it is more about the attaker. Thus if a user uses
AvjU7^%hJrtM
as their password, and the attacker has a strategy which chooses that as
as the first password to try, it has extremely low entropy given the
attacker's strategy.

Or course it is pretty unlikely that the attacker's strategy will pick
it as the first try. (unless the user for example published it on their
web page.)
The key is that there is not "entropy of a password". One can only make
reasonable assumptions about the attacker's strategy and hope it is not
too far out. Given those assumptions one can estimate the entropy.
Also, checking passwords against each other isn't so good since it means
you're storing them as unsalted hashes or even in the clear.
.



Relevant Pages

  • Re: behavior as mapping
    ... estimating a probability distribution, the distribution ... sequence with equal probability - since you have microsecond temporal ... reduction of the entropy Pto the entropy P ... If there were 4 genes we would need 2 bits of binding site info. ...
    (comp.ai.philosophy)
  • Computational secure entropy extraction
    ... distilling entropy from an unknown distribution. ... there existed some universal entropy distiller that could be used on all input ... D is -secure if given that k is drawn from any distribution ... Let's define that a "hit" is the case ...
    (sci.crypt)
  • Re: behavior as mapping
    ... estimating a probability distribution, the distribution ... sequence with equal probability - since you have microsecond temporal ... reduction of the entropy Pto the entropy P ... If there were 4 genes we would need 2 bits of binding site info. ...
    (comp.ai.philosophy)
  • Re: new /dev/random
    ... >A c1,c2 entropy generator takes any input k and produces a string of ... >fixing any probability distribution it likes over those strings, ... >long as the entropy exceeds k. ... our mixer to do a good job with, we can then ask whether applying SHA1 ...
    (sci.crypt)
  • Re: new /dev/random
    ... > optimistic dreams for what one would like from an entropy distiller. ... SHA1 is a secure hash, though, which would also be very exciting. ... > to any such distribution yields pseudorandom outputs. ...
    (sci.crypt)