Calculating entropy for user- and random passwords

Question

When calculating entropy for user passwords, what is the standard method used? It almost seems as if everybody has his or her own opinions on what to use. Some reference xkcd, other people mention NITH and Shannon.

Say I want to calculate the entropy of the top-10 passwords in the Rockyou leak, what I should use. The majority of the Rockyou passwords are not randomly generated.

If I wanted to calculate the entropy of randomly generated passwords, such as those generated from resetting your password on websites, often 4-6 characters long, with only a-z, A-Z characters.

Are there any Python implementations of whatever recommended method recommended for these scenarios?

Shannon entropy for a password isn't very difficult nor useful. Why do you need it? — John La Rooy, Mar 09 '14 at 04:45
@gnibbler I assumed Shannon entropy was used because of how often it is talked about in password strenght cases. — user3260754, Mar 09 '14 at 16:37
See the "Limitations" section in the first link @Paul posted. — John La Rooy, Mar 10 '14 at 23:56
Keep in mind, that a calculated entropy cannot tell you, how fast a password could be cracked. — martinstoeckli, Mar 11 '14 at 07:57

score 2 · Answer 1 · edited May 23 '17 at 12:21

Depending on how interested you are in theory vs practice you could do is simply interface to a xkcd or NITH and get the result.

Regarding Shannon entropy and passwords: this link http://www.alertboot.com/blog/blogs/endpoint_security/archive/2011/11/29/password-strength-entropy-how-those-password-strength-checkers-work.aspx provides a good description of how Shannon entropy came to be used when discussing password strength. It is in some way an adaption of Shannon's original theorem which dealt with robustly communicating discrete data over noisy channels. While I can appreciate the adaption I feel it falls short in many respects but that is not the point here.

Have you seen these SO posts: What is the best way to check the strength of a password? or Password strength checking library or Checking the strength of a password (how to check conditions) or Python password strength

I do not know if there is one definitive way to compute password entropy. It is one of those problems that looks devilishly simple, but upon closer examination turns out to be surprisingly difficult without some limiting assumptions. If you want to simply check whether a password has 3 out of 4 categories of characters from various character classes that is trivial. In this sense one password would have higher entropy if it had more characters coming from more character classes. But this still has many shortcomings because how to decide if ab!! is stronger than aA#3. In the former it is 4 characters but only two character classes, in the latter there are 3 character classes. If you want to take into account dictionary words, reverse dictionary words, phrases it is that much harder...

are you referring to this -> https://www.xkcd.com/936/ ? and I didn't find any stuff for NITH /: — Boop, Jan 16 '19 at 09:25

Calculating entropy for user- and random passwords

1 Answers1