Password Entropy explained
Vložit
- čas přidán 6. 09. 2024
- You can buy me a coffee if you want to support the channel: buymeacoffee.c...
I explain what password entropy is, how it is calculated and why seemingly secure passwords are not secure at all. I also present ways how to make your passwords more secure.
If you're interested in how hashing works, you can watch this video before:
• Password hashing expla...
very well done, i finally understood some of the concepts that other people just glance over. keep up the good work!
Very interesting and helpful too. Was looking for the total number of special characters and I found it here. Keep going. We need more security content like this
Very clear and helpful, excellent content!
Thank you very much for the explanation. Our lecturer, a Prof. Dr., was not able to explain the whole thing in simple terms for us students.
Liked & subscribed. Best explanation I've seen on password enthropy! How exactly is enthropy affected if capitalization is added?
Thanks! I am not sure, I understand your question. In the video I already include capital letters as part of the 78 different characters used (0:52). So if we know that only the first letter is capitalized, the entropy would be considerably lower.
Edit: I think I get it now. You probably mean the xkcd-example. Capitalization would not change much, since most dictionaries have many different versions of all words. For example: password, Password, pa$$word, p4ssw02d, etc..
@SecPrivAca Sorry for the confusion. Yes I did mean xlcd example since our video used the EFF version of diceware list. Injecting just one capital letter and one special character seemed to increase the security of the passphrase, but not sure from a purely mathmatical entropy analysis. That is why we'd appreciate your critique comment on the video. Thank you
The thing that bothers me, and I know this is beyond the scope of this video but, is when some websites, particularly government agencies, make it a point to limit the length and character set that you can use for a password, for example, I used one government resource at one point, that limited password length to between 6 and 8 characters, and then disallowed the use of special characters. Granted, that's still a 62-character complement character set, but it just feels like they're being purposefully obtuse in the name of convenience over security, especially in a day and age where we live in a world where we don't (typically, unless we're out and about) even have to necessarily memorize passwords anymore, with the advent of password managers and OS-based key chains.
This is completely crazy and undermines NIST guidelines (which are a government agency after all). If you as an attacker know that passwords are only between 6 and 8 characters it makes cracking incredibly easy.
Great video, helped me a lot. Can I ask tho, where have you got the number of 100B passwords/second from? I am creating a password strength estimator and cannot find conclusive numbers of how many passwords a modern PC can try per second (offline)
google gpu password cracking
Mainly from this SO-post which seems legit to me:
stackoverflow.com/questions/54733868/how-many-attempts-per-second-can-a-password-cracker-actually-make
I do not understand time to guess password. Must 'try' each new guess in an attack; this will limit speed.
do you mean how many passwords can be guessed per second? This number is relatively common.
@@SecPrivAca Just guessing next password is only part of attack; must also submit the new guess to see if it is correct.
I see. In the video I am talking about offline attacks, meaning attacks that are carried out against, e.g, leaked password hashes. You are referring to online attacks which is obviously much harder, since you can limit the amount of tries, as you point out.
@@SecPrivAca OK. Leaked hashes. Yes, that can be fast. Thanks.
I cant hear you.
What do you mean?