[Discuss] deadmanish login?

Kent Borg kentborg at borg.org
Sat Feb 4 21:19:43 EST 2017 

On 02/04/2017 06:06 PM, Eric Chadbourne wrote:
> Entropy calc here and other neat stuff.
>
> https://gchq.github.io/CyberChef/

Entropy calculators mostly don't know.

It doesn't matter how a password scores according to some elegant 
information theory, what matters is how easy that password is for 
someone to guess. And though password guessing has progressed mightily 
in the last few years, it is still an expensive and subtle activity, 
well beyond what some little piece of open source software is up to 
instantly measuring.

To be efficient password cracking needs to prioritize and check more 
likely passwords first. It matters greatly whether the password was 
dreamed up by an English speaker (check "password" first, concentrate on 
ASCII space after that) vs. dreamed up by an Arabic speaker (check 
"كلمهالسر" first, concentrate on Arabic character set after that). It 
matters whether it was dreamed up by a colourful Brit vs. a colorless 
Yank. It matters whether it was dreamed up by a sports fan vs. an opera 
fan. It matters how old the person was who dreamed it up. Et cetera. If 
the NSA tries to break some encryption key of yours they will take what 
they know about you (a lot) and dump that into their cracking. Names and 
places and birthdays, books you have read, schools you have attended, 
pets you have had, cars you have driven, languages you might speak, 
etc., will all inform how they prioritize the search. (How do I know? 
Because they are at least that smart. If they aren't that smart they 
should offer me a job, it would be fun to turn them down.)

I Googled up an online entropy checker and asked it what it thinks of 
"May the Force be with you!", and it was impressed. I tried "The quick 
brown fox jumps over the lazy dog." and it was even more impressed. 
Complete foolishness!

The only way to really know the minimum entropy of a password is to know 
how much entropy went into its creation, and a password calculator 
doesn't know how you created it.

Oh, and the online entropy calculator I found thinks a password is a 
password is a password. But they are not! A password that is complete 
overkill for your Twitter account (something rate limited) can still be 
worthless for encrypting data (something not rate limited). Reporting 
"entropy" (aren't we all fancy) yet ignoring that distinction is stupid.

Entropy calculators mostly don't know.

-kb

More information about the Discuss mailing list