![]() I mainly use 2 passwords: 1 is a 4 word full lowercase passphrase of 18 letters long which I use wherever possible.Įmphasis is mine it shows the problem. It is right there, in your first sentence: However, you are doing something real wrong. some homemade construction with a couple of SHA-1 invocation), but even then chances are that other users will fall first. Such a password will be broken by an attacker who got the corresponding hash IF the hash was not done properly (e.g. Entropy from passwords selected by average users is much lower than that. The one you link to claims that it does all the computations in Javascript and your password does not leave your browser, but did you really check the Javascript source to make sure of it ?)Īs far as passwords go, 36.86 bits of entropy are rather good. (The wisdom of entering your password in a Web-based "password meter" is questionable, too. For more on entropy calculation, see this answer. With 4 words from a list of 5000, you get one password in a set of 5000 4 with uniform selection probability (that's an important assumption), so the entropy here is 49.15 bits (because 2 49.15 is approximately equal to 5000 4). We simply assume that the attacker is aware of the process, and knows all of it except the actual random choices. However, an attacker who is intent on breaking your password will know that, and adapt: you just wrote it on a public forum, so it has become public information.Ī correct entropy computation does not work over the actual password value, but over the process by which the password was generated. In particular, that password meter system has no idea that your passwords have been generated by assembling words taken randomly from a short list. Well, that's a bit simplistic, so let me say it in more details: a "password meter" application like the one you used is mindless and generic what it measures is the effort of breaking your password, using the mindless and generic strategy that the password meter author thought of. I don't know how valid these entropy numbers are, but judging from these parameters, are these passwords safe enough for their intended purpose? And what is the general guideline for password entropy for different purposes? I do not use these passwords for financial data, apart from 2 empty paypal accounts and a read-only prepaid credit card statement. I mainly use these passwords for gaming related matters (MMO accounts, desktop clients, forums). ![]() the entropy for both passwords is about equal at 68 bits, give or take half a bit. I've calculated the entropy for both passwords using. the words are fairly common (top 5000 words on popular TV shows). I use this whenever the first passphrase is not valid due to length or character set constraints. The other is basically 3 words and a digit with the first word in full uppercase and only 14 digits long. I mainly use 2 passwords: 1 is a 4 word full lowercase passphrase of 18 letters long which I use wherever possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |