Password entropy7/30/2023 But when concepts of information entropy are applied, the number of questions/guesses drops to a consistent 4 or 5. In contrast, if I were to guess at random it would, on average, take me 13 guesses to guess your letter. No matter which letter you select it will always take me as few as four (4) but never more than five (5) questions to guess your letter. But if I apply basic concepts from Claude Shannon’s information theory to the task, something very interesting happens. But it could also take me 25 guesses, right? If I were to just randomly start guessing my success would be random, too. How many guesses do you think it will take me? Do you think its random, based on luck? Could I guess it in one try? Sure. Please randomly select a letter from A – Z. To explain why, let me start with a simple demonstration. Volumes of discussion can be had on concepts of information entropy and its uses in communication but for our purposes today let’s just say that, in the end, password entropy provides us a way of empirically comparing the potential strength of a password based upon its length and the potential number of characters it might contain. ![]() The answer to these questions lies in password entropy (part of it, at least). But for you and your shop, there is an answer. Moreso, is there a point of diminishing returns on password complexity? At what point do they become so long and complex that they become practically unusable? Again, there is no textbook answer here. We all have different needs and systems have varying levels of password support. How can we compare the potential strength of any proposed password policy? Are your policy requirements arbitrary or based on some sort of quantitative measure? It’s simple to say, ‘make passwords long, complex and not based on dictionary words’, but can you quantify what ‘enough’ is for a given situation? Scenarios vary. This question lends itself directly to discussions of policy within an organization. One argument is for length, the other is for complexity. Another argument might assert that the shorter password has the potential to be stronger because it pulls from a larger list of potential characters. One argument may state that a longer password, even when using a smaller potential character set is stronger. How can you make an apples-to-apples comparison of the two passwords? They differ in many ways. ![]() Please disregard for a moment whether you feel either of them is sufficiently strong for your situation that’s another discussion. Which is stronger, an 8-character, random password that potentially uses characters from the entire ASCII characters set (upper-case, lower-case, numbers, special characters (including a space)) or a 10-character, random password that uses only upper and lower-case letters? Simple enough, right? But let me push a little further and ask a not-so-simple question: And it’s nothing new to virtually all of us: Passwords are supposed to be long, varied in their use of characters (upper case, lower case, numbers, special characters) and not based on dictionary words. It’s a nice companion to this post and a useful tool later down the road. Before we start, please be sure to download ITdojo’s password entropy worksheet (MS Excel, OS X Numbers, LibreOffice Calc compatible).
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |