← Back to context

Comment by mehrdadn

6 years ago

> 10% more security (6.55 vs. 5.95 bits per character)

That's not how this works. By your logic having a password consisting of 1,2,3,4 is only twice as secure as having just 1,2.

17 comments

mehrdadn

Reply
monocasa  6 years ago

That's absolutely how bits of entropy work.

  • robocat  6 years ago

    However symbol frequency is also significant for entropy.

    Do you think 1 in 25 four letter passwords contain a backtick?

    If you were brute forcing an ASCII password (no whitespace), would you naively cycle from ! up to ~ for each character?

    • monocasa  6 years ago

      The context is randomly generated passwords, so dictionary attacks (or other attacks that look at the plaintext from a Huffman encoding perspective) aren't really relevant.

  • mehrdadn  6 years ago

    That's most definitely not how security works. The strength of your password is not proportional to the number of bits of entropy it has.

    • dredmorbius  6 years ago

      The way you're phrasing this may be misleading.

      The strength of a password / passphrase increases with the power of 2 raised to the bits of entropy.

      That's an exponential proportion, rather than a linear one. But a proportion all the same.

      Example:

      Given mixed-case alphanumeric (62 characters) and an 8-character password length, the number of combinations is:

          62^8 = 218,340,105,584,896 (keyspace -- 218 quadrillion)
    l(62^8)/l(2) = 47.6 (bits of entropy)

      A 10 character password (if randomly chosen from the same character set) has 10^17 possibly combinations (about 4,000x more), and 59.4 bits of entropy, 11.8 bits more. 2^11 = 2048.

      1 reply →

    • monocasa  6 years ago

      In the context of randomly generated passwords, it's absolutely ok to think about it in terms of the logarithmic relationship between 1) entropy per symbol times number of symbols and 2) strength of the password.

      He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

      2 replies →

mfoy_  6 years ago

According to KeePass2, the password: "12" contains 7 bits of entropy, but "1234" only contains 5 bits of entropy.

Is that right?

  • gruez  6 years ago

    I wouldn't trust it. If you use the "Hex key - 128-bit" preset, it returns a different amount of bits every time you click it. Here are 3 samples:

        3f38ba8a6ce3aa800f007c2e431df7fd  124 bits
    9339bf587ee11b12d207df846a879cf4  129 bits
    8ca4354a9038df590fecec1f964062fd  121 bits