2

I read the infamous xkcd cartoon comparing two passwords and their strength. Curious whether their calculation was accurate, I searched many entropy calculators and plugged in the two examples from xkcd.

  1. According to xkcd (https://xkcd.com/936/)
Tr0ub4dor&3 ~28 correcthorsebatterystaple ~44
  1. KeePassXC (https://github.com/keepassxreboot/keepassxc)
Tr0ub4dor&3 46.74 correcthorsebatterystaple 47.43
  1. Password Entropy Calculator (https://alecmccutcheon.github.io/Password-Entropy-Calculator/)
Tr0ub4dor&3 ShannonEntropyBits: 36.05 TrigraphEntropyBits: 71.96 correcthorsebatterystaple ShannonEntropyBits: 84.10 TrigraphEntropyBits: 110.74
  1. Password Quality Calculator (https://eyhn.github.io/PasswordQualityCalculator/)
Tr0ub4dor&3 63 correcthorsebatterystaple 92
  1. omnicalculator (https://www.omnicalculator.com/other/password-entropy)
Tr0ub4dor&3 Lower Latin 6 Upper Latin 1 Digits 3 Special 1 72.1 correcthorsebatterystaple Lower Latin 25 Upper Latin 0 Digits 0 Special 0 117.5

Not only did the numbers vary, the degree of difference between the two also fluctuated. KeePassXC caught my eye as it suggested that the two passwords were on par with each other. Why the difference? Are there more metrics then H = 1og 2 N^L ?

Improve this question
1
  • 1
    I always go back to this amazing explanation which considers entropy of password from the perspective of a motivated attacker, whose knowledge of the "process" that counts, not so much the password itself. Commented May 5, 2023 at 10:28

2 Answers 2

Reset to default
2

Entropy is a measure of uncertainty. Depending on context, uncertainty can vary. That's why entropy is not something absolute. Entropy depends on the context.

For instance, let's look at the word "car". If we know that a password is a words consisting of 3 English lower case letters, then there are 26^3=17576 different passwords possible. If a password is picked randomly from this set, the entropy is 14 bits.

If we know that a password is word picked randomly from the Diceware list, 7776 words, the entropy is 13 bits. The word length doesn't matter.

If we know that a password is a word picked randomly from the Oxford dictionary (about 600 000 words), the entropy is 19 bits. The word length doesn't matter. "car" (3 letters) and "electroencephalographically" (27 letters) have the same entropy of 19 bits.

If we know that password is a word picked randomly from a set of 4 words (car, truck, bus, vehicle), then the entropy is 2 bits. Again, the length does not matter.

The sites you mentioned use different models of what is known and what is not. That's why the have different estimation for the same password.

In the examples above I mean Shannon entropy. Another type of entropy is min-entropy. See also this post. There are also other definitions of entropy and correspondingly other metrics.

If you or your users generate passwords manually and want to estimate the password strength using these sites, then there could be other approaches. For instance, you can generate passwords using some quality random generator, store passwords in password manager, and remember only the master password, i.e. password for password manager.

Improve this answer
0

Besides the different models for purely random password choices explained by mentallurg, some of the above password strength estimations (like the KeePassXC one) take into account that users do not always choose randomly from a set of possibilities when constructing a password. Passwords like 123456 or abcdef follow an obvious pattern and should be considered much weaker than 6 randomly chosen digits or latin characters respectively. KeePassXC therefore has a custom score algorithm which uses the zxcvbn password strength estimator and additionally penalizes password reuse and expired passwords. This obviously will result in entirely different scores than basic entropy calculation.

A lot of the other algorithms you've listed are also explained either on the website itself or in the source code, so if you want to know how exactly the results were calculated and why they differ, you can check that.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.