undefined | Better HN

0 pointsMattPalmer10864y ago0 comments

You can calculate Shannon entropy of an individual password, as the number of bits per char.

A password of "aaaaaaa" will have a much lower entropy than "axipeY7".

What am I missing?

0 comments

Replying to self...

I guess it's not a useful measure of password strength, even if possible. Any password that doesn't repeat any letters will have identical entropy by this measure.

So 123456789 will be the same Shannon entropy as Ar4e$hUa^

throwawayffffas4y ago

Entropy is really a measure of password length.

MattPalmer1086OP4y ago

That's basically right for passwords.

Of course, if we impose password complexity requirements (e.g. must have a digit or an uppercase letter), it actually reduces the entropy in the password!

aeternum4y ago

Entropy is a measure of the potential state space. So password length matters a lot but so does the size of the character set.

j / k navigate · click thread line to collapse

0 pointsMattPalmer10864y ago0 comments

You can calculate Shannon entropy of an individual password, as the number of bits per char.

A password of "aaaaaaa" will have a much lower entropy than "axipeY7".

What am I missing?

0 comments

MattPalmer1086OP4y ago

Replying to self...

I guess it's not a useful measure of password strength, even if possible. Any password that doesn't repeat any letters will have identical entropy by this measure.

So 123456789 will be the same Shannon entropy as Ar4e$hUa^

throwawayffffas4y ago

Entropy is really a measure of password length.

MattPalmer1086OP4y ago

That's basically right for passwords.

Of course, if we impose password complexity requirements (e.g. must have a digit or an uppercase letter), it actually reduces the entropy in the password!

aeternum4y ago

Entropy is a measure of the potential state space. So password length matters a lot but so does the size of the character set.

j / k navigate · click thread line to collapse