Question

In: Computer Science

A 10-character password is to be selected from an alphabet comprised of the following: all lower...

A 10-character password is to be selected from an alphabet comprised of the following: all lower case and upper case English alphabet and all numbers. Compute the entropy of such a password. Why would such an entropy computation not be representative of passwords in practical settings?

Solutions

Expert Solution

Ans :

Why we use entropy to measure the password strength?

Let's say someone uses brute force to guess a password and passwords are not bit strings, they are character strings and entropy is a measure to describe in how many attempts of brute force guessing will it take to crack the password ( not exact counts just a proportionality.)

Let's derive H ( entropy)

N - Number of characters to choose from

L - Length of password

H - Entropy value

NL = 2H

Taking log both sides

L log N = H log 2

H = L ( log N / log 2)

Let's calculate entropy for 10 characters and say case sensitive (a-z or A-Z or 0-9) giving us total N = 62 (26+26+10)

H = 10 ( log 62 / log 2 ) = 59.54 bits

But in this derivation, we have assumed that every character is uniformly randomly chosen but as humans don't choose everything randomly the expected and calculated entropy is different.

Humans are very poor at selecting a good password, even though the above entropy value seems more than sufficient but in real life, it is not even close to a strong password.

In actual life, NIST has rules by which we calculate actual entropy values

For 10 character password = 4*1 + 2*7 + 1.5*2 = 21 bits

Number of character Entropy values
1 character 4 bits each
Next 7 character 2 bits each
Next 9 to 20th character 1.5 bits each
Character 21 and above 1 bits each

So actual entropy is very less as compared to calculated that's why such password is not preferred in practical life.


Related Solutions

Think of a password 8 character long which uses at last one lower-case letter, one capital...
Think of a password 8 character long which uses at last one lower-case letter, one capital letter, and one number, but uses none more than once. What's your password? How many possible permutations are there for an 8 character password which meets those criteria? How many fewer combinations without regard to order are there for an 8 character password which meets those requirements. How would you calculate how many permutations there are for an 8 to 12 character password which...
An 8-character password consists of four numbers (from 1 to 9) followed by two letters (from...
An 8-character password consists of four numbers (from 1 to 9) followed by two letters (from A to Z) followed by two more numbers (from 1 to 9). a) How many different passwords can be formed if letters and numbers can be repeated? b) How many different passwords can be formed that have no repeated number or letters?
A certain website wants you to build a 6-character password from the letters a through i,...
A certain website wants you to build a 6-character password from the letters a through i, the numbers 0 − 9, or the symbols @, #, or &. Clearly, the order of the characters in the password matters (a) How many passwords are there in total? (b) How many passwords are there that consist of distinct characters? (c) How many passwords have the first two characters be letters, the middle two character be one of the symbols and the last...
Using the pigeonhole theorem prove that any set of 220 10-character strings over the alphabet {a,b,c,d}...
Using the pigeonhole theorem prove that any set of 220 10-character strings over the alphabet {a,b,c,d} contains a pair of anagrams.
6. Passwords are composed from lower- and uppercase letters of the English alphabet,digits and 34 special...
6. Passwords are composed from lower- and uppercase letters of the English alphabet,digits and 34 special characters. What is the exponential generating function of the sequence an=number of passwords with at least one capital letter, one number and one special character.
In C++, The following program reads one character from the keyboard and will display the character...
In C++, The following program reads one character from the keyboard and will display the character in uppercase if it is lowercase and does the opposite when the character is in uppercase. If the character is a digit, it displays a message with the digit. Modify the program below such that if one of the whitespaces is entered, it displays a message and tells what the character was. // This program reads one character from the keyboard and will //...
An 10-bit password is required to access a system. A hacker systematically works through all possible...
An 10-bit password is required to access a system. A hacker systematically works through all possible 10-bit patterns. Let ? be the number of patterns tested until the correct password is found. (a) Find ?? and the pmf of ?. Let ? be the event that the password has not been found after 24 tries. (b) Find the conditional pmf of ? given ?. (c) Find ?(?) and ?(? | ?).
The Five C’s of Credit include all the following EXCEPT Collateral Conditions Character Credibility All of...
The Five C’s of Credit include all the following EXCEPT Collateral Conditions Character Credibility All of the answers are correct
Is it possible for OPEC to lower prices to $10 a barrel and drive all non-OPEC...
Is it possible for OPEC to lower prices to $10 a barrel and drive all non-OPEC competitors, including the fracking industry out of business? Why or Why not! Use Economic Theory to answer this question
Given the information below about a portfolio comprised of 3 stocks, answer the following: (show all...
Given the information below about a portfolio comprised of 3 stocks, answer the following: (show all the details of your calculations): The expected return on each stock; The expected return on the portfolio using the individual securities’ expected returns obtained in question (a) above. Assume that the correlation between stock A and B is -0.25. Calculate the standard deviation of a portfolio containing 50% of stock A and 50% of stock B. Stock Initial investment value Expected end-of-period investment value...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT