My question is, is it more reliable having a password that is composed by words like FootballPractice more secure than using a password that has only 2 or 3 bits less, for example FootbalPractic , my assumption is that the latter although it has less Entropy because it has 2 bits less than the other, is more secure because it is protected from dictionary attacks, if i made my question unclear let me know and i will edit to try to explain it better
Asked
Active
Viewed 346 times
0
1 Answers
2
Passwords do not have entropy, only the method used to generate the password has entropy.
If the attacker knows you use a wordlist then they can use the same wordlist to construct their guesses. If you take off the last letter of each word in your generation list, and the attacker knows this, they simply take off the last in theirs. The entropy would be exactly the same.
Your technique may enable your chosen passwords to go under the radar in a non-targeted dictionary attack, however in any targeted attack they may discover how you generate your passwords and alter their wordlist accordingly (e.g. from other breaches that may reveal your password when it has been cracked, from public website posts, etc).

SilverlightFox
- 34,178
- 6
- 73
- 190
-
So what you are saying is, this method is usable if i don't expect to be targeted in the websites i am using them at? – Magmagod Feb 22 '16 at 15:58
password
(takes up 8 bytes in ASCII) has a very low entropy you could find this on a list of the top 16 passwords so about 4 bits of entropy (2^4 = 16). MeanwhileBx.hC&V
a 7-char password generated by randomly selecting one of 94 printable characters (97^7 = 64847759419264 ≈ 2^45.9 ) has about 45.9 bits of entropy. Modifying words in your passphrase by truncating a letter adds a couple bits of entropy. – dr jimbob Feb 22 '16 at 16:26FootballPractice
orFootbalPractic
is still incredibly weak (two random words chosen from a reasonable sized dictionary generally have ~13 bits of entropy), so at bestFootballPractice
would be originally be say 26 bit words, except the phrase is meaningful and likely not random, so its much lower entropy less than this. Even if you added say ~6 bits of entropy by truncating letters, it's still within the regime of online brute-force attacks. A password's entropy is the base-2 logarithm of the number of possible passwords it was chosen from. – dr jimbob Feb 22 '16 at 16:35