Questions tagged [entropy]

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators.

246 questions
1268
votes
22 answers

XKCD #936: Short complex password, or long dictionary passphrase?

How accurate is this XKCD comic from August 10, 2011? I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems…
Billy ONeal
  • 2,688
  • 4
  • 15
  • 15
186
votes
9 answers

Is the NHS wrong about passwords?

An NHS doctor I know recently had to do their online mandatory training questionnaire, which asks a bunch of questions about clinical practice, safety and security. This same questionnaire will have been sent to all the doctors in this NHS…
Robin Winslow
  • 1,738
  • 2
  • 11
  • 10
120
votes
11 answers

Password rules: Should I disallow "leetspeak" dictionary passwords like XKCD's Tr0ub4dor&3

TLDR: We already require two-factor authentication for some users. I'm hashing, salting, and doing things to encourage long passphrases. I'm not interested in the merits of password complexity rules in general. Some of this is required by law, and…
Jason Coyne
  • 1,583
  • 2
  • 10
  • 10
117
votes
15 answers

When choosing a numeric PIN, does it help or hurt to make each digit unique?

Imagine a typical 4-digit PIN scheme containing the digits [0-9]. If I choose my PIN at random, I will get one out of 10 * 10 * 10 * 10 = 10,000 codes. Based on my own experience, more than half of the time a random sequence of four digits will…
smitelli
  • 2,035
  • 3
  • 15
  • 19
94
votes
4 answers

Chrome generated passwords not high entropy?

On Chrome, if you open a sign up page, it will offer to fill and remember the password field. I did this and got the following sequence of passwords offered as…
gngdb
  • 853
  • 1
  • 6
  • 6
80
votes
3 answers

Is it appropriate to use haveged as a source of entropy on virtual machines?

While looking for solutions to entropy pool depletion on virtual machines, I came across an interesting project called haveged, which is based on the HAVEGE algorithm (HArdware Volatile Entropy Gathering and Expansion). It makes a pretty fantastic…
Nic
  • 1,136
  • 2
  • 10
  • 13
75
votes
13 answers

How reliable is a password strength checker?

I've tested the tool from Microsoft available here which tests password strength and rates them. For a password such as "i am going to have lunch tonight", the tool rates it's strength as "BEST" and for a password such as "th1$.v4l" it rates it as…
iijj
  • 759
  • 1
  • 6
  • 3
64
votes
11 answers

Why does the user pick the password?

Almost every web service I can imagine has the user pick the password. Why is this? Couldn't the system choose a better password? It doesn't have to be some complicated mess; see this answer. Do users just find their own choices more convenient?…
PyRulez
  • 2,937
  • 4
  • 15
  • 29
62
votes
12 answers

How long should the maximum password length be?

The minimum password length recommended is about 8 characters, so is there any standard/recommended maximum length of the password?
Mohamed
  • 1,404
  • 1
  • 11
  • 14
60
votes
4 answers

Expert quote on entropy for uncrackable password

Could anyone point to a quote in a published work - or suggest a recognised expert who might provide a quote - which answers the following question How much entropy in a password would guarantee that it is secure against an offline guessing attack…
Stephen Hewitt
  • 711
  • 1
  • 6
  • 6
56
votes
38 answers

What is your way to create good passwords that can actually be remembered?

What are the methodologies which can be used to generate "human" good quality password? They have to ensure a good strength and also easy to remember for a human being.
gbr
  • 2,000
  • 1
  • 16
  • 22
50
votes
4 answers

Is Diceware more secure than a long passphrase?

I recently investigated best-practices in regards to passwords, and the overwhelming majority of sources recommended using a password manager. This is great advice, but not usable in every situation. Certain situations, such as OS login, Disk…
user163495
50
votes
7 answers

Doesn't the choice of encryption algorithm add entropy by itself?

Let's say someone has my encrypted data and he wants to decrypt it. People always talk about how the length of the key (e.g. 256 bits) decides about the entropy of the encryption, which totally makes sense. If the attacker tries all 2256…
Robert
  • 617
  • 1
  • 5
  • 3
43
votes
5 answers

Confused about (password) entropy

There seem to be many different 'kinds' of entropy. I've come across two different concepts: A) The XKCD example of correcthorsebatterystaple. It has 44 bits of entropy because four words randomly chosen from a list of 2048 words is 4 * log2(2048) =…
mds
  • 533
  • 1
  • 4
  • 5
40
votes
8 answers

Why do password strength requirements exist?

Password strength is now everything, and they force you to come up with passwords with digits, special characters, upper-case letters and whatnot. Apart from being a usability nightmare (even I as a developer hate it when a website requires a…
Bozho
  • 1,173
  • 1
  • 10
  • 12
1
2 3
16 17