shay.co blog
Yesterday I have published an article about password entropy.
Today I would like to discuss the entropy of a phrase based password.
Phrase Based Password
A phrase based password is a password assembled from several easy to remember and spell words, delimited by spaces.
As a result, such passwords are very easily remembered.
To produce such a password, one must have a dictionary of words.
Each time a user asks for a password, the system randomly chooses a few words to generate the password.
The Entropy of a Phrase Based Password
Let \(N\) be the size of our dictionary, and let \(L\) be the number of words in the password, therefore there are \(T = {N \choose L}L!\) different possible passwords.
Assuming \(N \gg L\) we can approximate this number by \(T \approx N^L\).
As we know the entropy \(H\) is given by \(H = \log_2{T}\), thus \(H \approx \log_2{N^L} = L \log_2{N}\), which is identical to the entropy of a password of length \(L\) under an alphabet with \(N\) different symbols.
Let’s assume that \(N = 10,000\) (i.e. we have 10,000 unique words in our dictionary), and \(L = 5\), the entropy of a password under these conditions is \(H \approx 5 \log_2{10,000} \approx 66.44 \text{bits}\).
Unfortunately when \(N = 3,000\) and \(L = 4\) the entropy is much lower: \(H \approx 4 \log_2{3,000} \approx 46.2 \text{bits}\)
Conclusions
Phrase base passwords are easy to remember; hence they are great in terms of ease of use.
On the other hand, in order for this method to be reliable, the dictionary has to big quite large, and each password must contain at least 4 or 5 words.
If you enjoyed this article, please consider sharing it!
Nice post!
In future posts, you may want to extend on other ways to determine password strength, it’d be awesome
I agree with that. There are websites that can do that for you, but what is the point?
I’m working on Auth myeslf and I have run into a few of the same issues. I’m using something like this to filter: Users::applyFilter(‘save’, function($self, $params, $chain) { $record = $params['entity']; if ($record->validates() && !$record->id) { $record->password = Password::hash($record->password); } $params['entity'] = $record; return $chain->next($self, $params, $chain); });see if that didn’t post. The idea is to only hash the password when saving a new record. Also I found myeslf having to hash again on the login side.
One way that might help to extend the size of the dictionary would be to include proper nouns. Using punctuation in a phrase might also help.