Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do you know how they are calculating the approximate entropy score of the characters used in the passwords?

I entered the password from the xkcd comic in this web site: http://rumkin.com/tools/password/passchk.php

And got an entropy of 51.8 bits.

Long passwords are great (especially if one is using a password manager), but not many places accept them.



The short XKCD password is based on a dictionary word, making it vulnerable to intelligent brute force (oxymoron of the day).

I imagine the calculation goes something like this:

  1/50000     Likelihood of a particular uncommon word
  1/8         Substitute up to three letters for numbers
  1/2         Initial capital or initial lowercase
  1/32        Add a punctuation character at the end
  1/10        Add a digit at the end
  1/2         Possibly swap punctuation and digit at the end
  ----------------------------------------------------------
  1/512000000 Resulting probability
  -28.93157   log2(1/512000000) -- number of bits of entropy
So, if e.g. XKCD assumed only 25000 uncommon words to choose from, that would give ~28 bits of entropy.


Thanks for the thorough answer! I originally missed the part about using a real word as the base.

For my passwords, I use 8 character random strings so hopefully I am a little safer. Although, as I'm learning from all of these password leak debacles, you are only as secure as the systems using those passwords.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: