Subject: Re: security/10206 - proposed solution (concept)
To: None <>
From: Bill Studenmund <>
List: tech-security
Date: 08/17/2005 13:08:43
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 17, 2005 at 02:10:02PM -0400, Thor Lancelot Simon wrote:
> On Wed, Aug 17, 2005 at 01:05:22AM +0300, Elad Efrat wrote:
> > Hi,
> >=20
> > I've written concept code, still work in progress, that allows an
> > admin to set a password policy in /etc/passwd.conf.
> >=20
> > The current version has the following options when setting a policy:
> > minlen, maxlen, upper, lower, digits, punct.
> I'd like to see a "zbits" option: how many bits of entropy are in
> the password as approximated by the size when compressed with some
> reasonable compressor.  Not so useful with short passwords, quite
> useful when one is requiring long phrases.

Is there a tool that will measure this? I'd like to measure the entropy in=
my passphrases. I realize it's an approximate measure, but none the less=20

For the moment, I have tried compressing a file containing the passphrase
(both gzip -9 and bzip -9) and comparing the file length with that of a
compressed file that contained just a space (to estimate file format
overhead). Is that a reasonable estimator?

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)