Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2016 14:29:06 -0400
From: Matt Weir <>
Subject: Re: GMOs And Passwords

BLUF (Bottom Line Up Front): I don't think Shannon entropy is currently an
actionable measurement of the security of human generated passwords, but I
also disagree with IT:Hipster's analogy.

Terminology note: For the purposes of this discussion, unless specifically
noted when I mention entropy I'm talking about Shannon Entropy. There are
various other types of entropy, (I've had several discussions with Jeff
Goldberg about some of them ;p), but none have really gained that much
traction in the wider password security field that I'm aware of.

IT:Hipster, you made the comment that a generation process doesn't tell you
about the final product. For example a generation process for passwords
will create a set of passwords with a particular entropy value, but that
there is no test to see if a particular password in isolation has a
specific entropy. If that's what you were saying then I agree with you.
Entropy refers to the whole distribution not individual instances.

Where I disagree with you though is that information about the whole set
can be useful. Going to your GMO example, one problem that GMOs can
introduce is lack of genetic diversity. Admittedly this can happen without
GMOs, but an outcome of particular GMO type procedures can produce
homogeneous populations. While I can't look at one sheep and say that it
lacks genetic diversity, someone can look at a herd and devise a test to
measure their diversity as a whole. The same goes for entropy and
passwords. You can totally calculate the entropy for a set of known
passwords. When trying to estimate the potential impact of different
password creation policies on entropy, well things get more complicated,
but ultimately it is a solveable problem. Where we run into issuess is then
trying to translate that entropy value into some statement about the
security of the system, but that's probably a topic for a different
discussion. What I am trying to say though is that the generation process
does sometimes provide useful information that can be tested for over a set
of targets even if you can't test for it with an individual target.


On Wed, Aug 24, 2016 at 1:38 PM, Royce Williams <>

> On Wed, Aug 24, 2016 at 9:19 AM, <> wrote:
> [snip]
> > do you realize how many "security experts" don't even know the
> definition of entropy?
> >
> > do you claim that malicious "password policies" are already eliminated
> in the world?
> No. We're claiming that most people who self-selected to be on this
> mailing list do not need to be convinced that there are problems with
> passwords. That is why we signed up. :)
> Royce

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.