![]() A method to generate a password has entropy. If it's just giving users an idea of how strong their password is, then taking an approach where you look at length/character set initially and then reduce the strength estimate for strings within it (such as words, common patterns, their username, etc) like existing tools (such as KeePass) do could work.īut is giving them a number sensible here? Does a user care than their password has an estimated entropy of 57.23 bits vs 53.86 bits? Can they make a meaningful decision based on that information? Is the difference between your password taking 500 trillion years and 600 trillion years to crack with some arbitrary work factor (because you're using a decent hashing algorithm) relevant? So I'd question what the problem is that you're really trying to solve. But if that password was set by a guy called Robert on his first (Mon)day working at Amazon, then that completely changes the situation. On the face of it, it's three "random" words, so you can have a guess at the entropy based on your assumptions about the average size of someone's vocabulary. Imagine a password like RobertAmazonMonday. ![]() And this is especially true when the only information you have is the password itself. There isn't really a "true" level of entropy for passwords - all you can ever do is estimate. I know nobody but us cares about entropy. Keeping in mind I'm after entropy only so to give users a cost-to-crack estimate. What metrics could be used to calculate human-created passwords so the result is much less secure looking than machine randoms? But I need to hear from the pros and looking for other ideas. I tried using log(pow(2500, 4))/log(2) => 4 words, 2500 possible combinations based on people using easier-to-remember words, as a percentage of the average human vocabulary of about 20,000 and this gave a resulting entropy of 45.15. Obviously, this would not be a good estimation. Human created non-random - isAwtheSUN = 57.37 bits entropy Issue with standard password entropy calc methods:ġPassword machine random - rmrgKDAyeY = 57.37 bits entropy The trouble is some human passwords seem stronger than machine crypto random: Now machine random has its own set of entropy calculation issues such as whether it is a totally random sequence, is it a symbol-separated word sequence chosen from a 307,111 word list, etc, etc. ![]() I will give users a switch to flip, whether the password is human-created or machine random. Here is a common problem which leads to my question, password entropy. I think this can communicate well to users in a way that is real to them. I want to calculate and communicate users' password entropy by cost to crack in the same way 1Password has here. ![]() I also want to give a ROUGH metric in addition to the strength tester. This one, which I've copied (with minor adjustments). I am including a fairly good password strength algorithm for my app for users on sign-up. Okay, I know it might seem this has already been beaten to death but, hear me out. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |