Recent Features
| |||||||||||||
Entropy of passwordsEntropy of passwordsPosted Jun 14, 2012 12:23 UTC (Thu) by dps (subscriber, #5725)Parent article: Security quotes of the week
Kieran Clancy claims 6-7 bits of entropy per password character. If the password is vaguely memorable this is ridiculous: applied cryptography quotes various sources claiming that english is ~1 bit per character, with a small range depending on the sort of text involved.
Passwords might be a bit more difficult but 2 bits/character is probably optimistic. If use pronounceable nonsense then there will be patterns like th, po, ou, rarely having 3 or more consecutive vowels, etc.
Maybe Kieran Clancy can remember truly random passwords, which might have 6 bits/character but I, and most of the rest of the world, can't.
(Log in to post comments)
Entropy of passwords Posted Jun 15, 2012 2:36 UTC (Fri) by codebeard (guest, #63144) [Link]
Kieran here. Can't view the main article for it, so this may have already been discussed there.
For what it's worth, most of the passwords I use are truly random. But yes, of course using any weak password is a poor choice.
The applied cryptography sources you mention are probably using the theory published by NIST, which has been shown to be fundamentally flawed for real-world passwords [1]. According to NIST, the first character is worth about 4 bits, the next seven characters around 2 bits and it drops after that. Fortunately, in the real-world things are a bit better (pun intended).
|
|||||||||||||