Password Entropy explained

Рет қаралды 4,350

Күн бұрын

Пікірлер: 19

@elfrancisco9954 Жыл бұрын

Very interesting and helpful too. Was looking for the total number of special characters and I found it here. Keep going. We need more security content like this

@youtube_user_427 Жыл бұрын

Very clear and helpful, excellent content!

@fritz3039 8 ай бұрын

Thank you very much for the explanation. Our lecturer, a Prof. Dr., was not able to explain the whole thing in simple terms for us students.

@CyberMedics Жыл бұрын

Liked & subscribed. Best explanation I've seen on password enthropy! How exactly is enthropy affected if capitalization is added?

@SecPrivAca Жыл бұрын

Thanks! I am not sure, I understand your question. In the video I already include capital letters as part of the 78 different characters used (0:52). So if we know that only the first letter is capitalized, the entropy would be considerably lower. Edit: I think I get it now. You probably mean the xkcd-example. Capitalization would not change much, since most dictionaries have many different versions of all words. For example: password, Password, pa$$word, p4ssw02d, etc..

@CyberMedics Жыл бұрын

@SecPrivAca Sorry for the confusion. Yes I did mean xlcd example since our video used the EFF version of diceware list. Injecting just one capital letter and one special character seemed to increase the security of the passphrase, but not sure from a purely mathmatical entropy analysis. That is why we'd appreciate your critique comment on the video. Thank you

@user-fb6sg3uy2z Жыл бұрын

Great video, helped me a lot. Can I ask tho, where have you got the number of 100B passwords/second from? I am creating a password strength estimator and cannot find conclusive numbers of how many passwords a modern PC can try per second (offline)

@Ken.- Жыл бұрын

google gpu password cracking

@SecPrivAca Жыл бұрын

Mainly from this SO-post which seems legit to me: stackoverflow.com/questions/54733868/how-many-attempts-per-second-can-a-password-cracker-actually-make

@ChozoSR388 Жыл бұрын

The thing that bothers me, and I know this is beyond the scope of this video but, is when some websites, particularly government agencies, make it a point to limit the length and character set that you can use for a password, for example, I used one government resource at one point, that limited password length to between 6 and 8 characters, and then disallowed the use of special characters. Granted, that's still a 62-character complement character set, but it just feels like they're being purposefully obtuse in the name of convenience over security, especially in a day and age where we live in a world where we don't (typically, unless we're out and about) even have to necessarily memorize passwords anymore, with the advent of password managers and OS-based key chains.

@SecPrivAca Жыл бұрын

This is completely crazy and undermines NIST guidelines (which are a government agency after all). If you as an attacker know that passwords are only between 6 and 8 characters it makes cracking incredibly easy.

@larrydevito8679 11 ай бұрын

I do not understand time to guess password. Must 'try' each new guess in an attack; this will limit speed.

@SecPrivAca 11 ай бұрын

do you mean how many passwords can be guessed per second? This number is relatively common.

@larrydevito8679 11 ай бұрын

@@SecPrivAca Just guessing next password is only part of attack; must also submit the new guess to see if it is correct.

@SecPrivAca 11 ай бұрын

I see. In the video I am talking about offline attacks, meaning attacks that are carried out against, e.g, leaked password hashes. You are referring to online attacks which is obviously much harder, since you can limit the amount of tries, as you point out.

@larrydevito8679 11 ай бұрын

@@SecPrivAca OK. Leaked hashes. Yes, that can be fast. Thanks.