This paper introduces Expectation Entropy, a novel metric designed to estimate the strength of random or random-like passwords. The motivation stems from a practical gap in existing password strength assessment tools. Classical combinatorics-based formulas (e.g., $\log_2(\text{character space}^{\text{length}})$) output results in tens of bits, while the industry-standard NIST Entropy Estimation Suite provides a normalized min-entropy score between 0 and 1. This discrepancy makes direct comparison and intuitive interpretation challenging. Expectation Entropy bridges this gap by providing a strength estimate on the same 0-1 scale as NIST's tool, where a value of, for example, 0.4 indicates an attacker must exhaustively search at least 40% of the total possible guesses to find the password.
The work is contextualized within the "PHY2APP" project, focusing on generating strong symmetric passwords for Wi-Fi device provisioning (ComPass protocol) using Physical Layer Security methods, highlighting the need for a robust, scalable strength metric.
Entropy measures disorder, randomness, or uncertainty. Different definitions apply variably to password strength.
Defined as $H_{\infty} = -\log_2(\max(p_i))$, where $p_i$ is the probability of an element. It represents the worst-case scenario, measuring the difficulty of guessing the most likely outcome. This is the basis for the NIST suite's output.
Defined as $H_1 = -\sum_{i=1}^{N} p_i \log_2 p_i$. It provides an average measure of information content but is criticized for being unrelated to actual guessing difficulty in password cracking contexts, as it ignores password length and the attacker's optimal strategy.
Defined as $H_0 = \log_2 N$, it measures only the size of the distribution (alphabet size), completely ignoring character probabilities.
Defined as $G = \sum_{i=1}^{N} p_i \cdot i$, where guesses are ordered by decreasing probability. This measures the expected number of guesses required by an optimal attacker. It is more directly related to practical cracking time but is not normalized.
Expectation Entropy is built upon the concept of Guessing Entropy but normalized to a [0, 1] scale. The core idea is to estimate the strength from a single password's composition. It considers disjoint character sets: lowercase letters $L$ (|L|=26), uppercase letters $U$ (26), digits $D$ (10), and symbols $S$ (32), forming a total character space $K$ of size 94 for English.
While the full mathematical derivation for a single password is implied but not fully explicit in the provided excerpt, the metric essentially normalizes the effort required by an optimal attacker relative to the total search space. If $G$ is the Guessing Entropy and $N$ is the total number of possible passwords (e.g., $94^{\text{length}}$ for full space), a normalized form could be conceptually related to $E \approx G / N_{eff}$, where $N_{eff}$ is an effective search space size considering the password's composition.
The key innovation is its interpretable scale. An Expectation Entropy value of $\alpha$ (where $0 \le \alpha \le 1$) means an attacker must perform at least a fraction $\alpha$ of the total required guesses (in an optimal order) to crack the password. A value of 1 indicates ideal randomness where the attacker must perform a full brute-force search. This aligns intuitively with the NIST min-entropy scale, facilitating comparison and decision-making for system designers.
Core Insight: Reaz and Wunder aren't just proposing another entropy metric; they're attempting to solve a critical usability and interpretability gap in security engineering. The real problem isn't a lack of complexity measures, but the cognitive friction when a combinatorics tool screams "80 bits!" and NIST whispers "0.7". Expectation Entropy is a pragmatic translator, converting cryptographic strength into an actionable, probabilistic risk score on a unified dashboard.
Logical Flow: The argument is elegantly simple: 1) Existing metrics live on different planets (bits vs. normalized scores), causing confusion. 2) Guessing Entropy ($G$) is closer to an attacker's reality but isn't bounded. 3) Therefore, normalize $G$ relative to the effective search space to create a 0-1 score that directly maps to an attacker's required effort percentage. This bridges the theoretical (NIST's min-entropy) and the practical (password cracker's workload).
Strengths & Flaws: The strength is its elegant simplicity and immediate interpretability—a godsend for policy makers and system architects. However, the devil is in the distributional assumptions. The metric's accuracy heavily depends on correctly modeling the probability distribution $p_i$ of characters within a single password sample, which is a notoriously difficult statistical problem. Unlike NIST's suite which tests long bitstreams, applying this to a short 16-character password requires robust estimators that may be sensitive to biases. The paper, from the excerpt, doesn't fully detail this estimation process for a single instance, which is its Achilles' heel.
Actionable Insights: For security teams, this metric could be integrated into password creation APIs or Active Directory plugins to provide real-time, intuitive strength feedback ("Your password requires 60% of guesses to crack"). For researchers, the next step must be a rigorous, large-scale empirical validation against real-world cracking tools (like Hashcat or John the Ripper) to calibrate the model. Does an Expectation Entropy of 0.8 truly mean 80% of the search space? This needs proof against adversarial AI models, similar to how GANs are used to attack other security domains. The concept is promising, but its operational utility hinges on transparent, peer-reviewed validation beyond the controlled environment of machine-generated passwords.
Based on the concepts outlined, the Expectation Entropy $H_E$ for a password can be conceptually framed. Let a password of length $l$ be drawn from an alphabet $\mathcal{A}$ with an associated probability distribution for each character position (which may be estimated from the password itself or a reference corpus).
The precise, efficient algorithm for estimating this from a single sample is the core technical contribution implied by the authors.
Note: The provided PDF excerpt does not contain specific experimental results or charts. The following is a description based on what a typical validation study for such a metric would involve.
A comprehensive evaluation of Expectation Entropy would likely involve the following charts:
The key result to validate is the claim: "Having an Expectation entropy of a certain value, for example, 0.4 means that an attacker has to exhaustively search at least 40% of the total number of guesses." This requires empirical attack simulations.
Scenario: Evaluating two 12-character passwords for a system using the 94-character printable ASCII space.
Summer2024!k9$Lp@2W#r1ZClassical Bit-Strength: Both have the same theoretical maximum: $\log_2(94^{12}) \approx 78.7$ bits.
Expectation Entropy Analysis:
This example demonstrates how Expectation Entropy provides a more nuanced and realistic risk assessment than the identical bit-strength from the classical formula.
Immediate Applications:
Future Research Directions: