Upon further introspection I've come to realize that we can truly simplify the ShannonEntropyFactory implementation by completely ignoring character rules. Considering a scenario such as an AllowedCharacterRule with a capital letter in its list, a lowercase password will indeed get flagged as "hasComposition". Or a CharacterRule with a CharacterData implementation with only one capital letter, which wouldn't check for special characters.
NIST SP-800-63-1 suggests:
A “bonus” of 6 bits of entropy is assigne
d for a composition rule that requires
both upper case and non-alphabetic characters.
I think we can greatly improve performance (no loops), as well as be more precise in this ballpark estimate by simply enforcing those guidelines in the ShannonEntropyFactory.
dfish3r
commented
8 years ago
Upon further introspection I've come to realize that we can truly simplify the ShannonEntropyFactory implementation by completely ignoring character rules. Considering a scenario such as an AllowedCharacterRule with a capital letter in its list, a lowercase password will indeed get flagged as "hasComposition". Or a CharacterRule with a CharacterData implementation with only one capital letter, which wouldn't check for special characters.
NIST SP-800-63-1 suggests:
I think we can greatly improve performance (no loops), as well as be more precise in this ballpark estimate by simply enforcing those guidelines in the ShannonEntropyFactory.