<br><br><div class="gmail_quote">On Thu, Jul 1, 2010 at 12:53 PM, Tilghman Lesher <span dir="ltr"><<a href="mailto:tlesher@digium.com">tlesher@digium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">
<br>
</div>That would only be true if you used random characters in your 17-character<br>
passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of<br>
randomness per letter, whereas an SHA1sum has no more than 4 bits of<br>
randomness per letter. Let's assume the higher number of randomness for<br>
your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness.<br>
Note that the prefix 3 characters have ZERO randomness per character, as they<br>
are deterministic from the extension. That gives an even less 21 bits of<br>
randomness. SHA1 cryptographic sums have no more than 160 bits of randomness.<br>
<br>
I say "no more than", because, given knowledge of the algorithm used to<br>
determine passwords, the sum is reduced to the number of bits of randomness in<br>
the source material. You cannot generate randomness by applying a<br>
deterministic algorithm. However, given that the source material for the hash<br>
sum is of a smaller bit strength than the comparative strength of the hash<br>
algorithm, your difficulty of guessing the password is not reduced any by<br>
using the hash algorithm for generative purposes.<br>
<div class="im"><br></div></blockquote></div><br><br>With this in mind, I'll be sure to forge my passwords from Chinese text from now on.<br><br><br>