Entropy isn't sufficient to measure password strength

34 点作者 benwr超过 3 年前

15 条评论

bigiain超过 3 年前

> Because choosing good passwords is about memorableness as well as sheer strengthThat's not been true ever since the development of good password managers. There are fewer than 10 passwords I remember. One of them is my password manager's master passphrase (5 misspelled-and-with-random-punctuation words). The others include stuff like my work and home laptop/disk passwords, which I can't autofill, my 3 important banking passwords which I do not even entrust to my password manager, and my AppleID password because iOS is annoying enough at asking for that that I'm using one I can remember.The other ~600 entries in my password manager are 25 random characters (or whatever the upper limit if password length is for sites/services that are 'doin it wrong').

评论 #29963860 未加载

评论 #29963703 未加载

评论 #29963719 未加载

评论 #29963760 未加载

评论 #29963813 未加载

bell-cot超过 3 年前

Maybe I just don't have trendy-enough coworkers or friends...but I know of no one who actually analyzes password strength in terms of Shannon entropy. Cripes, the very first sentence of the Wikipedia page for Shannon entropy tells us that it's an average.Simple analogy - if the goal was to protect your house from a 9-foot-deep flood, would a dike with an average height of 10 feet do the job?

评论 #29963588 未加载

评论 #29963563 未加载

krupan超过 3 年前

When will we stop using passwords?! They are an elementary school kid “secret club” game taken way, way too far. They are totally broken. Nobody can come up with and remember good passwords. Nobody can store passwords securely. 100% busted.Instead of continuing to debate what makes a good password, we need to put our energy into better techniques altogether! No more shared secrets! Let’s talk about one-time codes, asymmetric key cryptography, hardware tokens, anything but passwords!!

评论 #29963764 未加载

评论 #29963974 未加载

评论 #29963782 未加载

评论 #29963769 未加载

评论 #29973133 未加载

评论 #29965291 未加载

评论 #29963727 未加载

iflp超过 3 年前

Kolmogorov complexity/entropy is more suitable for this purpose, under the implicit assumption that password crackers don't have tailored prior knowledge and are just enumerating "simple" sequences. It only agrees with Shannon entropy on long ergodic sequences. The author basically constructed an example where the two notions don't agree.

评论 #29963650 未加载

评论 #29971593 未加载

BeefWellington超过 3 年前

There's a bit of a logical flaw here in that the argument is made against average entropy of a set of passwords, rather than individual entropy of each chosen password.This is an argument I can't find anyone making: an aggregate average entropy of the set of all passwords you use is fine for password security, rather than the entropy of each individual password.As far as I can tell this seems to be a (possibly intentional?) misunderstanding on the author's part.

评论 #29963985 未加载

评论 #29963971 未加载

adgjlsfhk1超过 3 年前

The real question here is if there are any actually used password strategies where this distinction matters? In practice, no one would ever use the type of password strategy described.

评论 #29963604 未加载

teeray超过 3 年前

It’s important to remember that attackers get no information on how close they are (assuming good hashing practices). It is unknowable to them if you went with the correcthorsebatterystaple approach or placed your cat on the keyboard for a few minutes. Given that, a simpler alphabet with longer strings > more complexity with shorter strings.

canjobear超过 3 年前

Cool example. An attacker will take 2^234 guesses on average to guess the password, but that's an average of 19 1's and one enormous number. So the attacker will usually guess the answer quickly. It's kind of like the St. Petersburg paradox in that the expectation value doesn't reflect typical behavior.Seems like this might be a use case for "dispersion" (the second moment of entropy) [1].[1] <a href="https://math.stackexchange.com/questions/1626522/higher-moments-of-entropy-does-the-variance-of-log-x-have-any-operationa" rel="nofollow">https://math.stackexchange.com/questions/1626522/higher-mome...</a>

MattPalmer1086超过 3 年前

The argument feels like a straw man.He seems to be saying, if your password selection strategy skews towards really weak passwords, and you measure the Shannon entropy of the distribution, it won't reveal that this is a bad strategy.I don't know anyone who would actually do this and declare a win "because Shannon".At best, it's mildy interesting that Shannon entropy on its own isn't going to give you a useful answer if you have a weak strategy.

croes超过 3 年前

I thought it's the entropy of the chosen password not about the entropy of the possibilities of password you could choose

评论 #29964497 未加载

iechoz6H超过 3 年前

I typically use a phrase from my life e.g.MathsDegree@StamfordWasABigWin [1] RanThroughAPlateGlassDoorWhenTen [2]with some esoteric obfuscation rules.1. I don't have a maths degree from Stamford. 2. Did happen, not one of my passwords.

willis936超过 3 年前

Hasn't this problem been solved for decades by diceware?Use words as your characters with a dictionary of a few thousand words. Assume an attacker knows the dictionary. Make passwords that are too long to brute force (40+ characters). Use enough words that a dictionary attack is also infeasible (4+). Add a salt if you're feeling extra spicy.Entropy is sufficient if you use the right language model.

pmw超过 3 年前

This is a good place to advertise <a href="https://phrase.shop" rel="nofollow">https://phrase.shop</a> - a webapp I wrote that makes secure yet memorable passphrases.It makes entropy requirements explicit, and you can even roll your own dice to supply the required entropy to generate your passphrase.Try it, it's fun!

DarylZero超过 3 年前

It seems like it is still sufficient for passwords that are generated in a normal way.

Bolkan超过 3 年前

<a href="https://xkcd.com/936/" rel="nofollow">https://xkcd.com/936/</a>

评论 #29963887 未加载

评论 #29964055 未加载