passphrase quality

[Damien Miller]

On Mon, 19 Nov 2001, Tim McGarry wrote:

> This is exactly what I want, obviously anybody can build there passphases,
> on another ssh version, and I can't stop that. I'm assuming that if they've
> got enough noodles to do that, then they probably understand the importance
> of a good pass-phrase. I just want some sort of
> prompt for novice ssh users that says as in the example below.
> 
> $ ssh-keygen
> Enter passphrase: short
> ssh: your password quality
> your passphrase quality is 60%, would you like to re-enter a different

A couple of problems:

1. Any "percentage" measure is going to be subjective and misleading, 
what you need is an estimate of entropy.

2. Estimating entropy is hard - you can pretty easily get an upper bound
on how much entropy is in an arbitrary string of bits (using statistical 
tests), but is is practically impossible to get a lower bound - which is 
what you want.

3. This bloats OpenSSH.

4. If you are really interested in protecting your private keys - check out
OpenSSH's smartcard support :)

-d

-- 
| By convention there is color,       \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)