> There is no way to tell if a password is strong since it may be reused.
Very good point. From that perspective any reported strength can be extremely misleading.
As far as bits go, this is where I get a bit lost. Calculating the number of bits only makes sense if the attacker knows what your character set is. Otherwise they will need to iterate over the full set of characters.
So a 20 character password of Xs and Ys is just as strong as a 20 character password with lowercase, uppercase, digits, and 10 symbols (72 options) as far as I can tell.
The other issue is, even if I have the entropy of the password I don’t know what “strong” really means. Presumably something like logarithm > some value, but that value also seems completely arbitrary.
If a service didn't want to store 124 _bytes_ in a database to represent the above base 2 password, it can use a hashing algorithm to like SHA256 to reduce the storage requirements to 32 bytes. The password still has 124 _bits_ of entropy even though 256 bits are stored.
>Calculating the number of bits only makes sense if the attacker knows what your character set is.
Assume that the attacker knows the character set in both cases, as this is the worse case scenario. The equivalence is then apparent.
Very good point. From that perspective any reported strength can be extremely misleading.
As far as bits go, this is where I get a bit lost. Calculating the number of bits only makes sense if the attacker knows what your character set is. Otherwise they will need to iterate over the full set of characters.
So a 20 character password of Xs and Ys is just as strong as a 20 character password with lowercase, uppercase, digits, and 10 symbols (72 options) as far as I can tell.
The other issue is, even if I have the entropy of the password I don’t know what “strong” really means. Presumably something like logarithm > some value, but that value also seems completely arbitrary.