Comment by mehrdadn

6 years ago

> He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

Hence the problem?

Yes, measuring "strength" by "bits of entropy" is technically correct (the best kind of correct...).

It's also exponentially misleading... possibly the worst kind of misleading?

Just look at the question: "Is there even a reason to include special characters in passwords? They add 10% more to security...". I don't know about you, but to me doesn't really portray an understanding of the fact that it takes twenty-five times longer to crack such a password for merely 8 characters, not merely 10%.

1 comment

mehrdadn

Reply
monocasa  6 years ago

I mean, counting in entropy with the knowledge that the applied effects can be logarithmic is the standard way of discussing such matters. It's sort of the basis for the information theory that's underneath this type of work.

Edit: And the point of his argument is that more symbols of a smaller corpus of symbols can be equivalent if the entropy is equivalent.