Date: Wed, 24 Aug 2016 14:29:06 -0400 From: Matt Weir <cweir@...edu> To: passwords@...ts.openwall.com Subject: Re: GMOs And Passwords BLUF (Bottom Line Up Front): I don't think Shannon entropy is currently an actionable measurement of the security of human generated passwords, but I also disagree with IT:Hipster's analogy. Terminology note: For the purposes of this discussion, unless specifically noted when I mention entropy I'm talking about Shannon Entropy. There are various other types of entropy, (I've had several discussions with Jeff Goldberg about some of them ;p), but none have really gained that much traction in the wider password security field that I'm aware of. IT:Hipster, you made the comment that a generation process doesn't tell you about the final product. For example a generation process for passwords will create a set of passwords with a particular entropy value, but that there is no test to see if a particular password in isolation has a specific entropy. If that's what you were saying then I agree with you. Entropy refers to the whole distribution not individual instances. Where I disagree with you though is that information about the whole set can be useful. Going to your GMO example, one problem that GMOs can introduce is lack of genetic diversity. Admittedly this can happen without GMOs, but an outcome of particular GMO type procedures can produce homogeneous populations. While I can't look at one sheep and say that it lacks genetic diversity, someone can look at a herd and devise a test to measure their diversity as a whole. The same goes for entropy and passwords. You can totally calculate the entropy for a set of known passwords. When trying to estimate the potential impact of different password creation policies on entropy, well things get more complicated, but ultimately it is a solveable problem. Where we run into issuess is then trying to translate that entropy value into some statement about the security of the system, but that's probably a topic for a different discussion. What I am trying to say though is that the generation process does sometimes provide useful information that can be tested for over a set of targets even if you can't test for it with an individual target. Matt On Wed, Aug 24, 2016 at 1:38 PM, Royce Williams <royce@...hsolvency.com> wrote: > On Wed, Aug 24, 2016 at 9:19 AM, e@...tmx.net <e@...tmx.net> wrote: > > [snip] > > > do you realize how many "security experts" don't even know the > definition of entropy? > > > > do you claim that malicious "password policies" are already eliminated > in the world? > > No. We're claiming that most people who self-selected to be on this > mailing list do not need to be convinced that there are problems with > passwords. That is why we signed up. :) > > Royce > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.