Password Entropy estimation People are bad at achieving sufficient entropy to produce satisfactory passwords NIST suggests the following scheme to estimate the entropy of human-generated passwords The entropy of the 1st character is 4 bits The entropy of the next 7 characters are 2 bits per character: The 9th through the 20th character has 1.5 bits of entropy per character Characters 21 and above have 1 bit of entropy per character This would imply that an 8 character human 38 selected password has about 18 bits of entropyPassword Entropy Estimation • People are bad at achieving sufficient entropy to produce satisfactory passwords • NIST suggests the following scheme to estimate the entropy of human-generated passwords: • The entropy of the 1st character is 4 bits; • The entropy of the next 7 characters are 2 bits per character; • The 9th through the 20th character has 1.5 bits of entropy per character; • Characters 21 and above have 1 bit of entropy per character. • This would imply that an 8 character human￾selected password has about 18 bits of entropy. Topic 3: User Authentication 382/3/2021