
Date: Mon, 29 Apr 2013 16:26:30 +0400 From: Solar Designer <solar@...nwall.com> To: cryptdev@...ts.openwall.com Subject: Re: Representing the crack resistance of a password. On Mon, Apr 29, 2013 at 01:05:30AM 0500, Jeffrey Goldberg wrote: > In a discussion on Twitter, Matt Weir has persuaded me that talking about the Shannon Entropy, H, of a password generation system doesn't get what we want. H doesn't capture appropriate facts about the distribution of passwords within the set of possible passwords. That's correct. > The far more meaningful notion would be "what is the prob of an attacker cracking a pw under that policy after N guesses". This, as I now understand, is not in general computable from H. (It is computable from H when the distribution is uniform, but the whole point is that humans do not select passwords uniformly from some set.) > > I asked how we should characterize, or even name, this notion. I tossed out > > C(X, k) = 2 log_2 G(0.5, X, k) > > where k is the key or password, X is this distribution, and G(p, X, k) is is the number of Guesses needed to hit k in X with probability p. Regarding your G() above, see: http://www.lysator.liu.se/~jc/mthesis/4_Entropy.html#SECTION00430000000000000000 for a formal definition of "Guessing entropy" and some discussion. Alexander
Powered by blists  more mailing lists