Resources for the global digital safety training community.

  1. Home
  2. Trainers' Curriculum
  3. Crypto Fundamentals
  4. Entropy and Password Security
  5. Entropy and You

Input : Entropy and You

ADIDS Element

Input

Parent Topic(s)

Entropy and Password Security

Duration

15 minutes

Input

In this lesson, a significant amount of Input is interwoven in the Deepening exercise as well, so this content serves as an introduction, and should be connected with the Activity exercise.

Input Content

Entropy is a small word for a big concept. Entropy is a measure of chaos, or the absence of order.

What does that have to do with passwords, or security, you ask? If you’ve ever had to scribble your mouse across the screen for a few minutes to create a truecrypt or (more recently) veracrypt encrypted drive, you experienced this. You were creating some chaos, some randomness… some entropy to make the drive more secure. Why does that work?

Guessing facts about a city you’ve never visited is easy because cities follow many similar patterns – and often legal regulations – about how they exist, and as you understand more about basic patterns (does a city have streets) you can probably guess that it also has cars in it, and sidewalks, parking lots or garages, and so on. Language itself has a similar cadence, with rules of spelling and grammar (well, less so with English) and the study of information entropy in language by Claude Shannon is foundational to many security concepts today. Consider Shannon’s original experiment here, as explained in The Bit Bomb:

"Shannon expanded this point by turning to a pulpy Raymond Chandler detective story […] He flipped to a random passage […] then read out letter by letter to his wife, Betty. Her role was to guess each subsequent letter […] Betty’s job grew progressively easier as context accumulated […] a phrase beginning ‘a small oblong reading lamp on the’ is very likely to be followed by one of two letters: D, or Betty’s first guess, T (presumably for ‘table’). In a zero-redundancy language using our alphabet, Betty would have had only a 1-in-26 chance of guessing correctly; in our language, by contrast, her odds were closer to 1-in-2. "

That difference, from 1-in-26 down to 1-in-2, is exactly the concept we’re exploring! It’s also a large part of how “Large Language Models” like ChatGPT work, but that’s a separate story.