On Fri, Feb 8, 2013 at 12:57 PM, Michael B. Smith <[email protected]> wrote: >> Ideally, password meters should measure entropy, but that's hard to deduce. > > Not so much, actually, as long as you control what you mean by entropy. > > http://xkcd.com/936/ :)
I *almost* posted that link. > See the response here by Akton: > > http://programmers.stackexchange.com/questions/167235/how-can-i-estimate-the-entropy-of-a-password That still seems to be mostly concerned with (1) permutations of character sets and (2) dictionary attacks, neither of which directly address entropy. Now, a comprehensive dictionary, combined with a comprehensive set of substitution rules, can at least tell you if your password can be found using such, which is prolly just as good for practical purposes. But to measure password strength derived from entropy, I think you'd need heuristics taking into account things like patterns and frequencies of both letters (spelling) and words (syntax, semantics). Disclaimer: Everything I just wrote could be a TOTAL LIE. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
