0

I have just started reading on the use of passphrase to increase a password entropy and have gained a rough understanding of it. However, I'm wondering if it's possible to further increase the entropy by making it more complex.

For example, let says a password is generated by putting two words from a dictionary of 2^14 words. This would cause the password to have a 2^28 entropy bits. To increase the entropy bits, I decided to do 2 things.

First, I would change the first letter of each word to uppercase.

Second, I would randomly choose 4 characters (excluding the first letter of each word) and change them to a corresponding digit.

Would either of the above-mentioned steps help in increasing the passphrase entropy? And if so, how do we calculate it?

weejing
  • 161
  • 2
  • 6
  • 3
    I think you might have missed the most popular question on this SE, about the entropy math behind XKCD's 'correct horse battery staple' comic. Summary, adding additional words to the sentence is probably easier to increase entropy than 1337sp34k – J.A.K. Feb 25 '17 at 19:16

1 Answers1

1

There are two ways to look at whether these changes provide you with more security. The first assumes that attackers doen't know of the passphrase creation changes you've made. If they tried to guess passphrases constructed from all lowercase words then they won't ever guess yours since they are outside the pool of guessed combinations. If they tried to guess traditional password formats or just brute-forced all possibilities up to a certain length then they probably won't guess your passphrase unless it happens to be short (e.g. you randomly select two three character words). In this scenario you probably have improved your passphrase security, but it's nearly impossible to measure.

The second, and in my opinion better, approach is to assume attackers do know your system for creating passphrases. It may be unlikely, but not outside the realm of possibilities that they might capture one of your passphrases or find one stored in plaintext from a site breach. This might allow them to guess your system by examining what they know from these other passphrases. Or this could be a common modification that they've learned other people have made to their passphrases so they consider it worth their time to try.

In this situation the attackers know to take two random words and capitalize the first letter. So the fact that you capitalize both words buys you no additional 'entropy' or strength against their attack. If you randomly decided whether to capitalize the first letter or not then that would essentially double your pool of possible words, because the attackers would need to try both versions for each word.

You don't really say how you're making your conversion of characters to digits. Are you doing a 'leet speak' change so that "e" becomes "3" and "i" becomes "1"? Is the substitution completely random? Either way I believe we'd need to know what words are in your dictionary and their respective lengths to estimate how many variations that change could produce. This is actually the hard part.

Let's assume all your words are seven characters and the digits are randomly chosen before replacing a letter. Then the number of candidates for digit replacement would be 12 since you aren't changing the two capitalized letters (U). You would need to map out all the possible arrangements of lowercase letters (L) and digits (D):

U D D D D L L U L L L L L L
U D D D L D L U L L L L L L
U D D D L L D U L L L L L L
....
U L L L L L L U L L D D D D

Then you would need to take the number of possible arrangements and multiply that times 10^4 (since each digit location can be one of 10 characters). Unless my math is wrong that should give you the total passphrase possibilities. You could then compare that to an unmodified word passphrase total to see how much additional security you've added.

But again, that assumes all the words in your dictionary are seven characters in length. Since this most likely isn't the case you'd need to map out digit possibilities for every possible permutation of two words for the different word lengths. I can estimate that's a pretty substantial security increase, but you'll have to work the numbers to figure out exactly how much you've gained.

PwdRsch
  • 8,361
  • 1
  • 28
  • 35