Wednesday, September 13, 2017

[alfojqcb] Password entropy

If a password consists of all characters of the same class except possibly for the first or last characters, then: if they are all digits, then log(10) bits of entropy per character.  If they are all uppercase or all lowercase, then log(26).

If there is a capital letter in a place other than at the beginning, or a number or punctuation other than at the end, then log(95) per character.

Some corner cases remain to be specified.

Then, simply require a certain amount of entropy (thus defined) in users' passwords.  Users can choose whether to use a long password with little entropy per character or a short one with lots of entropy per character.

Perhaps forbid characters which cause the underlying data storage or UI to become confused (e.g., space).

Consecutive repeated characters count as 1+log of the repeat count.

No comments :