Selecting Secure Passwords

We mathematically explore a model for the shortness and security for passwords that are stored in hashed form. The model is implicitly in the NIST publication [8] and is based on conditions of the Shannon, Guessing and Min Entropy. We establish various new relations between these three notions of entropy, providing strong improvements on existing bounds such as the McEliece-Yu bound from [7] and the Min entropy lowerbound on Shannon entropy [3]. As an application we present an algorithm generating near optimally short passwords given certain security restrictions. Such passwords are specifically applicable in the context of one time passwords (e.g. initial passwords, activation codes).

[1]  David A. Huffman,et al.  A method for the construction of minimum-redundancy codes , 1952, Proceedings of the IRE.

[2]  Antoon Bosselaers,et al.  Even Faster Hashing on the Pentium , 1997 .

[3]  Kellen Petersen August Real Analysis , 2009 .

[4]  Robert J. McEliece,et al.  An inequality on entropy , 1995, Proceedings of 1995 IEEE International Symposium on Information Theory.

[5]  Erdal Arikan An inequality on guessing and its application to sequential decoding , 1996, IEEE Trans. Inf. Theory.

[6]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[7]  David Malone,et al.  Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[8]  Van de M. L. J. Vel Theory of convex structures , 1993 .

[9]  Christian Cachin,et al.  Entropy measures and unconditional security in cryptography , 1997 .