Does grouping password characters for readability decrease entropy?

typo

1/4/23, 6:28 PM

For example, for a randomly generated password of 28 lowercase letters, which is about 128 bits of entropy, how would adding a space after every four characters affect it?

ijaxjnddkcswzovcrpbnqqiwaqyb
ijax jndd kcsw zovc rpbn qqiw aqyb

1 + 4

passwords

entropy

randomness

Paul Uszak

1/4/23, 11:21 PM

Good question, but just consider that a password of _"ijax jndd kcsw zovc rpbn qqiw aqyb"_ has a lot less entropy than you think because the user will have to write it down on a Post-it and stick it to the VDU. See key derivation functions.

Mark

1/4/23, 11:52 PM

@PaulUszak it is not clear what notion of entropy you are discussing, but it does not appear to be Shannon entropy.

Paul Uszak

1/4/23, 11:59 PM

@Mark You're right. It's common sense entropy I guess. Both GCHQ and NIST now suggest avoiding password complexity in favour of things like _"running rats rainbows"_. It's been dropped from 800-90b too. That way you don't need to stick it to the terminal.

Mark

1/5/23, 12:02 AM

@PaulUszak I agree systems like that (explicitly tools like [diceware](https://diceware.dmuth.org/)) are better to memorize a (master) password, and you should use a password manager for your other passwords. But this question also has a formal mathematical answer --- $H(X) = H(f(X))$ for any discrete distribution $X$, and any (injective) function $f$. The discussed encoding is injective, so cannot decrease entropy.

Score:7

Crypto

Marc

1/4/23, 6:56 PM

Adding characters to an existing password in such a fixed and known way does not alter its entropy as long as everything else remains the same.

In your specific case, adding a space every four characters can be seen as purely formatting to make passwords more readable.

Should an attacker not know about the formatting, the password just became six characters longer (and harder to brute force). If the attacker knows about the formatting they are back to brute forcing the password in a ~128 bit search space.

Small note: you could make the spacing a display property only (this might be doable with a web interface, difficult with a terminal).

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does grouping password characters for readability decrease entropy?

TH: การจัดกลุ่มอักขระรหัสผ่านเพื่อให้อ่านได้จะลดค่าเอนโทรปีหรือไม่

RO: Gruparea caracterelor parolei pentru lizibilitate scade entropia?

RU: Уменьшает ли энтропию группировка символов пароля для удобства чтения?

VI: Việc nhóm các ký tự mật khẩu để dễ đọc có làm giảm entropy không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.