Hi, i wrote: > > One can estimate entropy by an approximation of the best possible > > compression in the context of the knowledge of the reader.
Mario Castelán Castro wrote: > In principle, yes, but in practice, not at all. File compressors [...] I wrote "estimate", "approximation", and "best possible compression". Of course gzip is not a very good approximation even if one subtracts the header bytes. Better approximations are presented in the article. Given the time spans and computing powers which were mentioned, i'd say they performed less than 2 exp 50 tries to crack the majority of good passwords. I.e. the compression which is established by their enumeration can squeeze those good passwords to less than 50 bits of size. Of course, as any lossles compression, it has to inflate other better passwords by at least one bit. > > The second password class and my knowledge about it gives me not more > > than a reduction of text bit number by 25 percent (6 bit text -> 8 bit > > binary) and a couple of bits which are harder to harvest. > This is a somewhat oversimplified analysis. Wasn't it you who said in https://lists.debian.org/debian-user/2017/08/msg01260.html “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” After exploiting the "base64" part to get my 25 percent, i'd go for /dev/urandom. man 4 urandom says: "[...] if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver." So if the non-guessable information in the password shall be near 128 bit, then i would consider to use /dev/random while writing a little love poem to my coputer in order to fill the pool. But even with only 64 bit of entropy (relative to our knowledge), we are 14 bits (= factor of 16384 tries) away from the majority of "good" passwords in the article. The testers would have to work 44.8 years rather than a day, or wait 23.9 years until Moore's law has caught up. (Somebody should compute how long it lasts if they start now and keep their equipment updated to the newest level.) Have a nice day :) Thomas
