Interesting idea. From the info per character perspective it may be adding the same security as one more character for the most naive user but can add nothing for a user choosing true random passwords.
In English prose there are around 1.6 bits of entropy per character. This can be calculated from its compressibility. The best arithmetic compression algorithms (e.g. PPM) will compress a large body of English text down to about 20% of its original size. 8 * 0.2 = 1.6, which is why we frequently see the "1.5 bits per character" entropy number for English.
For good random pecking at the keyboard there are 95 printable characters, 95 ~= 2 ** 6.75 bit of entropy per key.
For our user password we have between 12.2 and 52.5 bits of entropy. Using the last 8 characters for an English word then a small amount of entropy is added, being the number of bit needed to encode the difference between password length and 8. If the users evenly distribute password lengths between 8 and 15 we have to add the entropy needed to store a value between 0 and 7 so 3 more bits of entropy free to the naive user. The completely random password is unaffected keeping 52.5 bits.
Few users will use passwords much longer than 8 characters so if we take all password lengths and compress that list I think we will find the entropy provided by the length data to be less than 1.6 bits per user, so about the same as making the step to 9 character english language passwords.
You can force users to use some numbers and some punctuation, you reduce the total password space but you do probably up the average users entropy.See further: the entropy of english
Cheers,
R.
In reply to Re^2: crypt help
by Random_Walk
in thread crypt help
by dave_pl
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |