3

I know the general math behind using character-based and dictionary-based passwords/passphrases and how to determine the entropy of the result. But I am unclear how adding uppercase letters, numbers and other characters or words to a dictionary-based passphrase changes the entropy.

For example, using Diceware, a six word passphrase gives me 77.4 bits of entropy. But if I now were to do simple changes to the phrase, such as use some uppercase letters, add numbers or other symbols, how does that affect the entropy? (I don't even know if uppercase letters matter since it's the same dictionary of words.) Could I achieve 77 bits of entropy by using just a five word passphrase and adding a few numbers and symbols?

Similarly, what happens if I add a word from outside the dictionary? Does that merely make the dictionary one word larger and therefore, not really change the entropy at all?

Thanks

Improve this question

1 Answer 1

Reset to default
4

As long you:

  • make such changes either randomly, or globally (for example, by capitalizing every word);
  • you add all of the resulting words to your dictionary; and
  • you continue to select words randomly for your passphrases

... then your entropy simply increases with the number of words.

But if you're doing anything non-random and non-global to transform the text, then you're adding complexity for which its strict Shannon entropy is much less relevant than its "real-world" entropy (how hard it is to crack). This is because your resistance to cracking would then depend solely upon the obscurity of your method, which would violate Kerckhoffs' Principle and is therefore not recommended.

In my opinion, you're far better off either adding a word to the passphrase, or increasing the size of the dictionary (which you could certainly do by tweaking the words as you've suggested, as long as it's random or global).

I personally only capitalize, add numbers, add punctuation, etc. to my passphrases in order to comply with naive complexity requirements, and do not count these towards the effective entropy in any way. Trying to do so randomly makes them too hard to remember (which is the whole point of a passphrase), so I actually have a method (cap the first letter, and then add "2" and "!" to the end).

And since I do not rely on those tweaks to increase the entropy, I'm not shy about disclosing the method publicly. Kerckhoffs would be proud. ;)

Improve this answer
2
  • 1
    Thank you so much, that explains a lot! In passing, this is similar to the advice I got about solar panels. With ground-based panels, I could optionally allow for the panels' angle to be tweaked during different seasons to increase efficiency. This, of course, adds complexity to the system. The efficiency gains would be easily surpassed by... just adding another panel.
    – William Kelley
    Commented Sep 18, 2017 at 3:37
  • You're welcome! (And if my answer is acceptable, explicitly marking it as accepted is always appreciated.)
    – Royce Williams
    Commented Sep 18, 2017 at 4:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .