Score:2

Does grouping password characters for readability decrease entropy?

mk flag

For example, for a randomly generated password of 28 lowercase letters, which is about 128 bits of entropy, how would adding a space after every four characters affect it?

ijaxjnddkcswzovcrpbnqqiwaqyb
ijax jndd kcsw zovc rpbn qqiw aqyb
Paul Uszak avatar
cn flag
Good question, but just consider that a password of _"ijax jndd kcsw zovc rpbn qqiw aqyb"_ has a lot less entropy than you think because the user will have to write it down on a Post-it and stick it to the VDU. See key derivation functions.
Mark avatar
ng flag
@PaulUszak it is not clear what notion of entropy you are discussing, but it does not appear to be Shannon entropy.
Paul Uszak avatar
cn flag
@Mark You're right. It's common sense entropy I guess. Both GCHQ and NIST now suggest avoiding password complexity in favour of things like _"running rats rainbows"_. It's been dropped from 800-90b too. That way you don't need to stick it to the terminal.
Mark avatar
ng flag
@PaulUszak I agree systems like that (explicitly tools like [diceware](https://diceware.dmuth.org/)) are better to memorize a (master) password, and you should use a password manager for your other passwords. But this question also has a formal mathematical answer --- $H(X) = H(f(X))$ for any discrete distribution $X$, and any (injective) function $f$. The discussed encoding is injective, so cannot decrease entropy.
Score:7
in flag

Adding characters to an existing password in such a fixed and known way does not alter its entropy as long as everything else remains the same.

In your specific case, adding a space every four characters can be seen as purely formatting to make passwords more readable.

Should an attacker not know about the formatting, the password just became six characters longer (and harder to brute force). If the attacker knows about the formatting they are back to brute forcing the password in a ~128 bit search space.

Small note: you could make the spacing a display property only (this might be doable with a web interface, difficult with a terminal).

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.