passphrase quality

[Tim McGarry]

I never suggested a scientific analysis of how good the key is, because it
could easily be ignored anyhow, just a vague yardstick to make stupid users
aware if their passphrase was too simple.

----- Original Message -----
From: "Damien Miller" <djm at mindrot.org>
To: "Tim McGarry" <tim at mcgarry.ch>
Cc: "Ladner, Eric (CLAD)" <CLAD at chevrontexaco.com>;
<openssh-unix-dev at mindrot.org>
Sent: Monday, November 19, 2001 11:29 PM
Subject: Re: passphrase quality


> On Mon, 19 Nov 2001, Tim McGarry wrote:
>
> > This is exactly what I want, obviously anybody can build there
passphases,
> > on another ssh version, and I can't stop that. I'm assuming that if
they've
> > got enough noodles to do that, then they probably understand the
importance
> > of a good pass-phrase. I just want some sort of
> > prompt for novice ssh users that says as in the example below.
> >
> > $ ssh-keygen
> > Enter passphrase: short
> > ssh: your password quality
> > your passphrase quality is 60%, would you like to re-enter a different
>
> A couple of problems:
>
> 1. Any "percentage" measure is going to be subjective and misleading,
> what you need is an estimate of entropy.
>
> 2. Estimating entropy is hard - you can pretty easily get an upper bound
> on how much entropy is in an arbitrary string of bits (using statistical
> tests), but is is practically impossible to get a lower bound - which is
> what you want.
>
> 3. This bloats OpenSSH.
>
> 4. If you are really interested in protecting your private keys - check
out
> OpenSSH's smartcard support :)
>
> -d
>
> --
> | By convention there is color,       \\ Damien Miller <djm at mindrot.org>
> | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> | But in reality there are atoms and space - Democritus (c. 400 BCE)
>