Hi, Curt wrote: > https://xkcd.com/936/
Well, this is a joke for mathematicians. ROFL et.al. > https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ ... and this lines out why the other is so funny. So what is the reason why IhaveaMemorablePasswordwhichIwillnotforget! is an easy victim of the described methods, whereas WVAq7XLM4va6e1A4Bb4+Zw is probably not ? The amount of information and redundancy in a message is relative to the knowledge of the reader. So giving an absolute value of information aka entropy is questionable. One can estimate entropy by an approximation of the best possible compression in the context of the knowledge of the reader. The compression result will generally be longer if the compressor has fewer knowledge about the message. In the given case the message is the password and helpful knowledge would be about systematic weaknesses of its production. E.g. if the password scheme is published as a cartoon. Although the first example yields a longer gzip result than the second one, one must not ignore the problem of specialized compressors which can concisely represent some classes of passwords, thus defining short enumerations of these passwords. In the case of the first password, a dictionary based attack looks promising. Camelback style actually helps the attacker. Dictionary attacks are well suited for being run by bot nets. The Markov attack mentioned on page 2 of the sincere article is quite frightning. (Are you different enough from your neighbor ?) The second password class and my knowledge about it gives me not more than a reduction of text bit number by 25 percent (6 bit text -> 8 bit binary) and a couple of bits which are harder to harvest. E.g. i know that a dictionary attack is of few use. That's one bit, because it's the first decision i can make. Any further insight might add only a fraction of a bit. (It's probabilistic. So we can grind bits to dust.) Have a nice day :) Thomas
