What about 20 characters? [LWN.net]

What about 20 characters?

Posted Jan 24, 2004 6:23 UTC (Sat) by obobo (guest, #684)
In reply to: What about 20 characters? by paulsheer
Parent article: A weak cryptoloop implementation in Linux?

Typical entropy for text is about one bit per character, IIRC. That is taking into account correlations between adjacent words, etc. Granted that it is probably somewhat higher for short text fragments, but still... a dictionary of 2^40 passphrases would be rather potent for cracking 20 character text-fragment based passwords.

to post comments

What about 20 characters?

Posted Feb 2, 2004 15:47 UTC (Mon) by lars_stefan_axelsson (guest, #10660) [Link]

Typical entropy for text is about one bit per character, IIRC. That is taking into account correlations between adjacent words, etc. Granted that it is probably somewhat higher for short text fragments, but still... a dictionary of 2^40 passphrases would be rather potent for cracking 20 character text-fragment based passwords.

Well, the estimates of the entropy of 'typical' English texts range from anywhere between 1.0 and 2.63 (One of Shannon's estimates), and 2.0 would give you 40 bits. However, and that's a big 'however' IMHO, we're not talking typical English text, but a passphrase. Password entropy can easily be 4 bits per character without having to remember a 'random' password, and there's no reason not to choose a passphrase consisting of several 'password like' words strung together.

That ought to give you a decent passphrase with sufficient entropy in 20 characters.

I'm ignoring the general hopelessness of the entire subject of passwords, of course. But if you're savy enough to be able to use loopback encryption, and sufficiently bothered by secrecy issues to bother, you ought to be able to come up with a decent passphrase and commit it to memory.