Expectation Entropy as a Password Strength Metric
Khan Reaz, Gerhard Wunder
TL;DR
This paper introduces Expectation Entropy, a new password strength metric that estimates the difficulty of cracking passwords on a scale comparable to existing entropy measures, providing more intuitive security assessments.
Contribution
The paper presents Expectation Entropy, a novel metric for evaluating password strength that aligns with existing entropy estimation tools and offers intuitive security interpretation.
Findings
Expectation entropy correlates with password guesswork difficulty.
It provides a scalable and interpretable measure of password strength.
The metric bridges the gap between combinatorics and entropy-based estimates.
Abstract
The classical combinatorics-based password strength formula provides a result in tens of bits, whereas the NIST Entropy Estimation Suite give a result between 0 and 1 for Min-entropy. In this work, we present a newly developed metric -- Expectation entropy that can be applied to estimate the strength of any random or random-like password. Expectation entropy provides the strength of a password on the same scale as an entropy estimation tool. Having an 'Expectation entropy' of a certain value, for example, 0.4 means that an attacker has to exhaustively search at least 40\% of the total number of guesses to find the password.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.