Skip to content

Instantly share code, notes, and snippets.

@g-k
Created May 15, 2018 15:58
Show Gist options
  • Save g-k/03c3d7d9626ab7d06098e62e585879be to your computer and use it in GitHub Desktop.
Save g-k/03c3d7d9626ab7d06098e62e585879be to your computer and use it in GitHub Desktop.
zxcvbn_strengths_to_entropy
> python ~/zxcvbn_strengths_to_entropy.py
# editing this a bit
0        1000 11.964340867792417
1     1000000 21.931567126628412
2   100000000 28.57542474467195
3 10000000000 35.219280948729356
# https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_wheeler.pdf
import math
strength_guess_exps = [
3, # too guessable: risky password. (guesses < 10^3)
6, # very guessable: protection from throttled online attacks. (guesses < 10^6)
8, # somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
10, # safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
# 4 # very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
]
for strength, exp in enumerate(strength_guess_exps):
guesses = 10 ** exp
# assuming the taking a log doesn't flip the inequality
# and equating # guesses and expected # of guesses is OK
# we get bits of entropy <= fn(guesses)
# or highest entropy per strength level
entropy = math.log2(guesses - 1) + 2
print(strength, entropy)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment