5

An argument people often use in favor of password managers is:

Human-generated passwords have less entropy than randomly generated ones!

Is there any research to back this up? Can we quantify it?

For example, if I wrote 2048 1s and 0s. How much entropy would you expect from an average human?

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
EralpB
  • 358
  • 3
  • 11
  • entropy would be fine, other statistical testing would reveal issues, ex: runs testing. – dandavis Aug 07 '17 at 10:17
  • 2
    I did not find a source, but I've read that the average human entropy is rather bad. When you ask some persons to write random strings of 1's and 0's, they will most likely not use very long groups. Their answer tend to be short, mixed groups: `00100111001010`, while algorithms / nature can produce a group like this `1111111111`. In fact, when you have i.e. a long thesis paper with a lot of numbers, the distribution of numbers would probably be evenly. If it's skewed, this might be a hint for manipulation. Maybe search for the mechanism in plagiarism detection, might reveal some statistics. – hamena314 Aug 07 '17 at 13:11
  • Some interesting points: https://security.stackexchange.com/a/66141/99028 – hamena314 Aug 07 '17 at 13:22
  • 1
    Here is some scientific work about the details: https://cogsci.stackexchange.com/questions/3591/how-well-can-a-human-generated-random-number-be-predicted/3592#3592 – hamena314 Aug 07 '17 at 13:24

2 Answers2

2

This is what I could find in 30 minutes on Google Scholar.

Lots of papers on the entropy of human movement and walking gait. Lots of papers on measuring the entropy of passwords (for the purposes of displaying a strength meter). Some papers talking about the amount of entropy a human can memorize.

This paper is pretty close and probably contains some partial answers:

If I am reading Table 1 correctly, then they found that when allowed to make 8 - 10 character passwords, people tend to select passwords from a roughly 240 password space. This is kinda a measure of entropy, I guess.

Here are other papers I found that are close-ish to the spirit of your question:

So within the powers of 30 minutes of my Google-Fu, I am going to say Lots of research has been done on the average entropy of passwords found in database leaks (hint: it's real low).

But as to "what's the best a human brain can do?" It looks like: No, this research has not been done.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
1

As mentioned in the comments, I think a human writes a string like this without too many consecutive 0's or 1's. I made several people around me write a long string and nobody put 5 consecutive 1's or 0's. So I tried to make a calculation to find an upper limit to your question.

The probability that 2048 bit long binary string doesn't consist 5 consecutive 1's or 0's : 4.30023800644 * 10^(-57)

Approximate number of strings that doesn't consist 5 consecutive 1's or 0's in all strings : 4.30023800644 * 10^(-57) * 2^2048 = 2^(1860.754515) ~ 2^1861

Based on this, I can say upper limit for humans is as much as 1861 bit long random string. If you add another conditions we can calculate more precisely.

frkntrn
  • 41
  • 5