A better way to think about passwords

Robert J. Hansen rjh at sixdemonbag.org
Mon Apr 18 05:42:22 CEST 2011

> I'd be interested in the result that comes from the same assumptions
> you just used to refute his calculations. That is those that gave you
> the result 'equals ten seconds to break it -- not the 3 minutes he
> claims'

Depending on who you refer to, English words have between 1.5 and 2.5 bits of entropy per glyph.  There are a ton of different credible resources, all of which have different answers: Wikipedia says that it's between 0.6 and 1.5 bits per glyph.  Assuming 2.0 bits per glyph is optimistic, but it's within the realm of possibility.

An 11-character password has 22 bits of entropy, or about four million possibilities.  Four million divided by one hundred attempts per second (the number this guy claimed was reasonable for login attempts per second to a web service) equals 40,000 seconds, or just over 11 hours.

With that, you can do the math yourself to make your own back of the envelope calculations.  Don't trust my math: trust your own math.  :)

> I am genuinely interested in _roughly_ how much 'expected secure time'
> the phrase 'the puck in the ruck in the muck' (eight words) would buy
> you over some random 8 letter string.

And, like I told you, without a lot of context this question literally cannot be answered.

More information about the Gnupg-users mailing list