> python ~/zxcvbn_strengths_to_entropy.py
# editing this a bit
0 1000 11.964340867792417
1 1000000 21.931567126628412
2 100000000 28.57542474467195
3 10000000000 35.219280948729356
Created
May 15, 2018 15:58
-
-
Save g-k/03c3d7d9626ab7d06098e62e585879be to your computer and use it in GitHub Desktop.
zxcvbn_strengths_to_entropy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_wheeler.pdf | |
import math | |
strength_guess_exps = [ | |
3, # too guessable: risky password. (guesses < 10^3) | |
6, # very guessable: protection from throttled online attacks. (guesses < 10^6) | |
8, # somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) | |
10, # safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10) | |
# 4 # very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10) | |
] | |
for strength, exp in enumerate(strength_guess_exps): | |
guesses = 10 ** exp | |
# assuming the taking a log doesn't flip the inequality | |
# and equating # guesses and expected # of guesses is OK | |
# we get bits of entropy <= fn(guesses) | |
# or highest entropy per strength level | |
entropy = math.log2(guesses - 1) + 2 | |
print(strength, entropy) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment