1

I want to use zxcvbn-c but it gives the entropy number, not score like the javascript library does. How do I convert entropy number to a score? (0 to 4)

The zxcvbn blog/source mentions that the score is related to estimated cracktime. I think this will be relative and increasing over time as computers get more powerful. But whats the current recomended formula to convert entropy to cracktime? How can I calculate a score for now? When should I reevaluate?

Heres what I found but how to know what guesses is made from and how to make the formula?

0 = guesses < 10^3
1 = guesses < 10^6
2 = guesses < 10^8
3 = guesses < 10^10
4 = guesses >= 10^10

IOW what are recomended entropy gradients for password strength nowadays?

TaTai
  • 11
  • 4
  • Each bit of entropy doubles the expected number of guesses an attacker will have to make, so without looking into it further I would assume you could compare `e < log2(10^n)` where `n` is 3, 6, 8, 10, etc. – AndrolGenhald Feb 20 '18 at 14:30
  • The app also give a "log10" number which is really just entropy * 0.301029996 – TaTai Feb 20 '18 at 20:40
  • Then compare entropy log10 against 3, 6, 8, 10. Same thing either way. – AndrolGenhald Feb 20 '18 at 20:55

1 Answers1

0

Thanks @AndrolGenhald I think this is how the javascript works

log = e * 0.301029996;
if (log < 3) s = 0;
if (log < 6) s = 1;
if (log < 8) s = 2;
if (log < 10) s = 3;
if (log >= 10) s = 4;

Should someone have better indepth answer about entropy I will be eager to read it.

TaTai
  • 11
  • 4
  • If you want to read up on password entropy in general [this](https://security.stackexchange.com/a/174744/151903) is a good starting point, and [the xkcd 936 analysis](https://security.stackexchange.com/a/6096/151903) is interesting. – AndrolGenhald Feb 20 '18 at 22:27