The article presents a newly developed metric called "Expectation entropy" that can be used to estimate the strength of random or random-like passwords. The classical combinatorics-based password strength formula provides a result in bits, while the NIST Entropy Estimation Suite gives a result between 0 and 1 for min-entropy.
The authors define four disjoint character sets (lowercase letters, uppercase letters, digits, and symbols) and calculate the expectation of a character appearing in a password based on the probability of each character set. They then express the Expectation entropy as the logarithm of the expected character value divided by the maximum entropy of the total character space.
The authors evaluate the Expectation entropy using two datasets: 100,000 randomly generated passwords of varying lengths, and three publicly leaked password databases (LinkedIn, 10Million, and WPA2). The results show that the Expectation entropy value increases or decreases according to the length of the password and satisfies the theoretical bounds. The publicly leaked databases mostly contain passwords with short lengths and characters not chosen from all character sets, resulting in low Expectation entropy values.
The authors conclude that having an Expectation entropy of a certain value, e.g., 0.4, means that an attacker has to exhaustively search at least 40% of the total number of guesses to find the password using brute-force.
To Another Language
from source content
arxiv.org
Key Insights Distilled From
by Khan Reaz,Ge... at arxiv.org 04-29-2024
https://arxiv.org/pdf/2404.16853.pdfDeeper Inquiries