Does manipulating a random password significantly reduce its entropy?

Question

Suppose I generate a password using a secure random number generator and all the available character classes. For example, c.hK=~}~$Nc!]vFp9CgE.

Consider that this password may need to be used in an environment where it cannot be copy/pasted; it must be typed by hand on a keyboard every time. There is a lot of pressing and releasing of the Shift key to type it in, which gets annoying fast.

If the password's characters were rearranged so that all of the Shifted characters were grouped together on one side of the password (so, K~}~$N!FCEc.h=c]vp9g or c.h=c]vp9gK~}~$N!FCE), would it significantly reduce the entropy (and practical security) of the password? It would make it a little easier to type, because half the password could be typed by lazily laying on the Shift key and the other half without. But is there too much of a trade-off in terms of the security offered?

There is a simple and secure solution to avoiding the inconvenience of those characters. Stick with only lower case letters and make the password 40% longer instead. — kasperd, Aug 16 '15 at 15:48

score 7 · Answer 1 · edited Aug 14 '15 at 18:51

Any question about password entropy needs to start with a discussion of what "password entropy" really means, and what kind of attack you are trying to protect yourself from.

In a nutshell, password entropy is an estimate of how many incorrect guesses an attacker will have to make before they stumble onto your password. These estimates are based on standard brute-forcing dictionaries that are available online.

If you type your password into a password entropy estimator and it gives you a very long crack time, then you're probably ok against "drive-by" cracking attempts. By "drive-by" I mean that you are not being targeted in particular, you are just part of a large set of accounts that are being attacked. (As a side note, beware of typing the password you're about to use into an online entropy estimator, unless you've checked the source code for that site you have no guarantee that they will not add your password to the dictionary!)

What other people are going to answer is that if an attacker knows that you like to cluster your uppercase characters and they build a custom dictionary for you (or many people start doing this and the "drive-by" dictionaries start including that pattern), then your password loses roughly half its entropy. Fine, but is that really what you should be worried about?

If you're doing something non-standard (like clustering your uppers) and we make the assumption that the attacker knows that, then we're already out the domain of "drive-by" attacks and we should also consider things like:

Have any of your accounts been previously hacked? Do your passwords appear in leaked password databases [1] [2]? If so, how much information can they gain about the "patterns" that you use?
Do they have access to your emails, sms, blog posts, etc, to see what kinds of words you use?
Can they craft targeted phishing emails for you?
Do you always check the certificate info of a page before typing in your password?
Do you download software off the internet?

As you can see, once we're out of the domain of "drive-by" attacks, the theoretical entropy of your password very quickly stops being the important point.

I'm a strong advocate of the idea that once an attacker is spending effort to learn things about you, the whole idea of password entropy no longer makes sense.

Bottom line: Since you're starting from a random password and only applying a very mild pattern, you still have plenty of entropy. If you are worried about attacks other than drive-by dictionary attacks, then the entropy of your password is largely irrelevant because other factors become much more important.

SilverlightFox · Answer 2 · 2015-08-15T09:54:30.620

Since you have specifically asked about entropy, I'll start by covering the objective aspects of your question.

The entropy is reduced, because you are taking away half the keyspace from each side.

To simplify this, if the entropy of a 10 character password with lowercase and uppercase characters is

log2(52^10) = ~ 57 bits of entropy

then you remove the uppercase characters from the first half, and the lowercase characters from the last half, your entropy is effectively

log2(26^10) = ~ 47 bits of entropy

Plus 1 bit since that can occur the other way round too gives 48 bits. The above is assuming that the passwords are generated using a cryptographically secure pseudo random number generator - i.e. it is completely random and does not hold any patterns generated by the human brain that will be unintentionally predictable in many ways.

The entropy of a password is based on the generation technique, so if this is known then you have reduced the entropy as per the above. Don't rely on the method remaining secret.

However, if you want to do this for ease of entry, simply add two more characters to your password:

log2(26^12) = 56

Plus the 1 bit and you then have 57 bits for equivalent security of your original method.

However, you also asked about how this affects the practical security of your password. As said, unless the attacker knows the generation method of your password, in this case X number of characters that can be entered without the shift key and X number of characters that require the shift key, any password guessing attacks are going to be generic. That is, they are not targeting you in particular, and thus they do not know anything about your specific generation method. This means they will be trying generic word lists and common character sequences instead of sequences that fit your generation pattern. Therefore the entropy of their attack space does not match the entropy that your password generation method holds. This effectively makes your password practically more secure than the keyspace it is generated under in the case of non-targeted attacks.

In your case, assuming a randomly generated 20 character password this gives ~131 bits normally, and ~113 bits splitting it as described. Both are above the 80 bits NIST recommend for password strength.

grandchamp robin · Answer 3 · 2015-08-14T15:18:42.807

0

Yes

demonstration for a 15 char password (value are aproximate):

first password: entropy= log2(90)*15 = 100

15 char in a charset of 90

second password : entropy = log2(90/2)*15+4 =89 15 char take in a charset of 90/2 and hold shift after character N (N between 1 and 15 then entropy = 4)

time to break p1 = time to break p2* 2^(100-89)

your modified password is almost the same than removing all shifted char

edited Aug 14 '15 at 15:18

answered Aug 14 '15 at 15:07

grandchamp robin

161
6

What? Can you explain where you're getting those numbers from? – Mike Ounsworth Aug 14 '15 at 15:09
1

90 is the number of printable char (92 if i am not wrong), i assume half this number is obtain by pressing shift (not exactly true),6.5 = log2(90),5.5=log2(45) ,4=log2(16) – grandchamp robin Aug 14 '15 at 15:13
There are 94 printable chars on the en-US keyboard, and the shifted/unshifted split is exactly 47/47. There are 95 chars if you count space, which can't be meaningfully shifted. – smitelli Aug 14 '15 at 15:21

Mars · Answer 4 · 2015-08-14T15:22:23.700

-2

No it doesn't "significantly reduce the practical security" of the password.

Password is an "all or none" puzzle. The attacker doesn't know Char sets of each side of the password. So entropy is even useless here. Length is what matters (which in turn would affect entropy the most, anyway). If an attacker doesn't have that in the Dictionary he's using, he's never going to get it. In Brute Force, the Attacker will have to account for all Char sets you're using (assuming he knows those Char sets). Then arrangement won't make much difference. He still has to start Brute Forcing it until it's found.

edited Aug 14 '15 at 15:22

answered Aug 14 '15 at 15:11

Mars

1,843
3
16
22

While `He still has to start Brute Forcing it until it's found`, if the attacker discovers the algorithm, the space that needs to be brute forced is smaller. Answers like [this one](http://security.stackexchange.com/a/96860/10885) explain the math. – Neil Smithline Aug 14 '15 at 16:33
1

`So entropy is even useless here. Length is what matters` -- I strongly disagree. Despite being short, `%55x7u` is a MUCH stronger password than `password1234567890` – Mike Ounsworth Aug 14 '15 at 17:20
@Mike Ounsworth, my answer assumes following passwords best practices with adding a bit of complexity. I should have clarified that. To address your specific example, a password like "Pas$$wordx.............." Is actually much stronger than both of what you mentioned. That's due to padding with "." and the added bit of complexity in "password". Of course, padding can be with anything not just dots. But it serves to show how much effect padding (increasing length) have on strength of a password. It's also the most effective factor (i.e. length) on entropy. – Mars Aug 15 '15 at 18:02
I'm not saying that you can't make long passwords that are strong, obviously you can. But you can also make long passwords that are weak. My point is that length by itself is a bad measure of strength. – Mike Ounsworth Aug 15 '15 at 18:06

Does manipulating a random password significantly reduce its entropy?

4 Answers4

Linked