 This topic is a little bit different from what we've seen, so we've covered all the main methods for encrypting data, symmetric and asymmetric cryptography, we've covered the theory for authentication, using hash functions, MAC functions, digital signatures, and we've just covered in the last topic how to distribute keys. This is a special case for authentication we're going to cover, focusing on authenticating users. I know everyone was excited about that quiz and want to know the answers, but you have to wait. We'll not try and go through it now because it takes a bit of time, but you'll easily find the answers online. Let's try and finish as much as this topic as we can today, and that leaves us just with malicious software, viruses and so on. We'll get through most of it today. One part of authentication we've mainly focused on, for example, when we receive a message, check that it comes from the right person and check that it hasn't been modified. We can use hash functions, MAC functions, signatures to authenticate the data. A special case of authentication is making sure the person using the computer system is who they say they are. Authenticating users and the main form, or one of the main forms for authenticating users is passwords, and that's what we'll focus on in this topic. It's a very practical topic because you use passwords to authenticate yourself every day. Let's see how they work. This is a quote from one of the textbooks that are useful for this course. Humans are also large, expensive to maintain, difficult to manage, and they pollute the environment, so that's you. It's astonishing that these devices, AU, continue to be manufactured and deployed, but there's so many of them that are sufficiently pervasive that we must design our network protocols, our security algorithms, around their limitations. What that's trying to say is if we had to design our security just for computers, it would be much easier than having to consider humans as well, because in many ways humans are not as good as computers, especially with cryptography. For example, can you encrypt in your head a file using triple desks? I don't think so. That is, go through all the steps and calculate it yourself. To encrypt something, you cannot use complex algorithms. A computer, we can program it to do it and do it quickly, so therefore when we design security protocols for network communications, for accessing computer systems, when the user is part of the system, the human user is part of the system, then we need to take that into account because we have to deal with their limitations. It would be easy if we didn't. For example, if we've got two computers communicating across the network, one laptop to another PC, then for computer to computer authentication, we can have a protocol that relies on both the computers having to perform some cryptographic operations, like encrypting something, signing some information, because the computers can implement those algorithms, and they can do it, of course, quickly. But now if it's authentication between a human and a computer, we cannot rely on the human to be able to encrypt something, to sign something, that is, sign a piece of data. Humans cannot store large keys, okay? Anyone remember a 64-bit key? 64-bit is considered insecure, recommended key size 128-bit, so try and remember a 128-bit random value, not easy. So storage of keys is a problem when we have humans involved. With computers, it's easy to store a large random value, and of course we cannot perform the cryptographic operations quickly. So therefore, when we want to authenticate people, we need some special methods. By people, for example, here's a computer system, we want to check that the person accessing that computer system is who they say they are. So how do we authenticate people? Three basic approaches. Based on what the person knows, something they have in their brain, what they have, they physically have something with them, or what they are, something about their body. So some examples of each of those, what you know, so how do you authenticate against with a computer system, well, if you know something that only you should know, that can be used as some form of authentication. Passwords are the common one. If you know the password and the computer system knows the password, and you can supply the correct one, then it believes it's you, because no one else should know your password. Same with the passphrase, which is really just a long password with possibly different characters, and similar a PIN, personal ID number that you use for your bank accounts, for example. They are things that you may know that you will use to authenticate yourself. When you go to an ATM, you put in your card, in fact, anyone could get your card, your friends could get your ATM card, but they shouldn't know your PIN. So when you go to the ATM, you put in your card, how does that ATM know it's you, based upon the PIN that you entered, because you've already registered that PIN with the bank, no one else should know the PIN. So that's on what you know. The other thing, what do you have? You can carry physical devices that can assist with authentication. So physical keys, if we think about a basic system of getting access to a room, but even with computers, you can have USB devices that you plug into the USB port and it performs some cryptographic operations. So by the fact that you have that device is considered, so long as you keep it private, it's considered a way to authenticate you. So physical devices, an ATM card is another example, ID cards in some cases. So things that you have to carry with you can help identify you. The other thing is what you are. That is your human, your body, your voice, fingerprints, retina scans, your eye scans. Assuming these things are unique about your body, if you've registered them to the computer system and you go to the computer system and you swipe your finger or you press your finger on the device on the laptop, then that computer system then knows it's you that's trying to access it, because no one else should have the same fingerprint as you. That's the idea. In all these cases, it assumes that only you have one of these things. They're unique amongst a set of users. There are different issues involved with all these different approaches. We're going to focus mainly on passwords or only on passwords, in fact. We're going to look at what we use every day, passwords and how they work. How do we use passwords to authenticate a user against a computer system? Some similar concepts apply with the others, but there are some different issues that arise. Let's look at the basics of passwords, see how we store them and how they are used and some of their limitations. What is a password? Everyone uses passwords. You should know what one is, but a combination of characters. Often it's the set of characters available by some input device, a keyboard, maybe a mobile phone. A combination of characters available from your keyboard. A password should be secure. That is, by secure, we mean that it should be practically impossible for someone else to pretend they are you. Here we're performing authentication. Someone else should not be able to pretend they are you and access the computer system that has performed masquerade attack. How could they pretend to be you if we're using passwords for authentication? Guess or find your password. In terms of a password being secure, your password should not be able to be found out by someone else. If someone else finds your password, then they can access the computer system pretending to be you. There are other aspects of secure passwords we'll see. And also easy to use. Because we involve us limited humans, that we have to make sure that the user is happy, is convenient, it's convenient for them to use the system. For example, the password must be of a reasonable length that the human can remember and can type in. So what's a good length password? We'll talk about some different examples later. But in terms of typing in, many of you can type a password easy on your keyboard. But I think some of you may recognize if you've got to type a password on your mobile phone, it's a little bit less convenient to enter in some cases. For example, accessing a website and trying to manually type in a password is slower than using a keyboard normally. Unless you become expert at the keyboard on the phone. But the input device has an impact upon how easy it is to use. So we'd like passwords to be secure, including hard for someone to find your password. We'd also make it easy to use for the users. We'll see that those two requirements conflict. To make it secure, normally we require a large or a long password. But the longer the password, the harder it is to use. Because you need to remember that password and type in that password. So there's conflicting requirements here. What's a passphrase? Just as a side point, usually a passphrase refers to a sequence of words. So there may be spaces. Usually a password will not allow a space character, but some will. When you hear a passphrase, often it refers to a longer sequence than a normal password. So what's a problem with a password or a set of problems? What can go wrong when we use passwords? Okay, so think of your access to your personal laptop or access to a shared computer system. Then how can someone get your password? Well, when I'm typing in my password in my office or on my laptop and a student standing behind me, they can watch what I type. And if they watch carefully, they can see the keys I'm hitting and they see my password. By watching the keys that I'm hitting on the keyboard, the user may see the password when it's actually used. So that's one way for the attacker, the malicious user, to find out someone's password. So that's not good. Before we use a password, we actually register that. So when you first access the system, you register a password. You choose a password in some cases. So, or the system chooses one for you. Same with a pin for a bank. When you register or create your account at the bank, you get a pin that is secret to you. And that's registered in the system, in the computer system. So therefore, the password must be stored somewhere on the computer system. We'll see some examples of where it's stored in different operating systems. But for example, if it's stored in some file on the computer system, then if the attacker can get access to that file, they can potentially read your password. So when we store passwords, we need to make sure it's difficult for the attacker to actually see what that password is. And we'll look at some different techniques for doing that. What else can go wrong? Someone can try and guess your password. So if you choose a password which is easy to remember, easy to type in, maybe you choose your date of birth, then it's easy for you to remember. If your friend comes along, it's easy for them to guess that and therefore get access to the system pretending to be you. So we need to have passwords which are hard to guess. Even if they cannot guess it, when we come back to it, it may be possible that an attacker can try a brute... Well, also guessing, but a brute force attack. Without any knowledge of you, just try all possible passwords. And for example, they find some information, some encrypted form of your password, and try a brute force attack to try and discover what your password is. So we'll see some approaches for doing that. If your password is secure, it may be that... So it's very long, it's random. It's... The computer system is set up that no one can see you when you type in the value on the keyboard because there's some special box, so they can't see your fingers. So prevent those attacks, but then it may become too inconvenient to use. And for example, if you're required to have a long password, a long random password, it may be secure, but you may not be able to remember it. What do you do if you can't remember your password? You write it on a post-it note and stick it on your laptop. But then you've lost the security because someone else can see it. So there's this important trade-off between a secure password and a convenient to use computer system. That's why there's no one rule as to what is the perfect password. We need to consider those trade-offs. Different systems will have different requirements, depending upon how important the data is that we need to protect. So many problems with passwords, but we use them in many different systems because they've been around for a long time. They are reasonably simple to use. There's software around and techniques for implementing new systems to make use of passwords, but they're not perfect. So let's look at the general approach of how they're used. Normally, a user is identified by some unique value. So we have a computer system and there may be a set of users that use that computer system. The computer system may be a single computer, like your laptop, or it may be a network of computers, but there may be more than one user. Usually we identify those users by some unique value, a username, for example, or a user ID. You all have usernames for the IT server, which is the same, in fact, for your Moodle login. So the Moodle login, that computer system, you have a username. It's unique, every student has a different username. Usually the username is public. Other people may know or be able to easily guess the username. For convenience, it's usually not required to keep it secret. So in your cases, your username is based upon your ID and it's quite easy to find other students' IDs. So the username is public. When you first access the computer system, there's some registration process performed. Maybe for the Moodle system, either you come to me and say, I want access to the Moodle online web system and I create an account for you. In that process of creating an account, we create a username and also let you select a password. So we register an initial password. Either the system selects one for you automatically or you get to choose your own, but there's some initial password registered. And both the username and the password are stored by that system. So for example, with Moodle, all your usernames and your corresponding passwords are stored on a computer somewhere, in fact on the IT server. And what happens when you later want to access the system, you submit your username and password, so you try to log in. You visit the website the day later and you try to log in for Moodle, you type in your username, you type in your password, press submit or enter. And that sends the username and password to the system. And the system compares your submitted values with the stored values. So the system stores your registered username and password. When you try to access it, you supply a username and password. If they match, it assumes it's you and you're authenticated and can access the system. If they don't match, then something's gone wrong. Either you have to try again or the system will not allow you to access. So if we get a match, the user is authenticated. So that's the normal approach for how passwords are used, whether it's a website, whether it's your own computer, even banking systems, ATM networks, similar approach. So the issues that arise then, well, what is a good password to choose at the start? What is a secure password? Also, how do you store the password on the system? Note that the system must store something about the password because when you later try to log in, you submit your password, the system must compare your submitted value with the stored value. So the password or at least some information about the password must be stored on the system. How do we store that? Especially so that no one else, no malicious user can find that stored value. How do we submit the passwords? So when you try to log in, you send your submitted password to the system. How do we do that? What protocols do we use? How do we respond, especially if there's no match? That is, if it doesn't match, if it's a wrong password. So some of the issues to deal with. We will look at a detailed example whether maybe just after the break of how passwords are stored in Linux and what happens when you log in and we'll look at issues of how to store a password. We'll also, after the break, we'll look at some mathematical ways to look at what is a good password, what length of password, how to create a password that's good or secure, how to submit passwords. I don't think we'll look too much about that. We assume that we've got some way to submit a password. For example, when you log into your bank website, how do you submit your password? What do you do? So your bank has their web server. You wanna log into your online account. So you open your browser on your computer and the bank web server stores your registered information. You need to authenticate yourself and the way you do that is you supply your username and password on your web browser and the web browser sends that username and password to the web server. Because we're sending the password across a network, we need to make sure that that delivery of the password is secure. So the submission of the password in this case, when we're doing it across the internet, should be secure in that we use encryption in that case. So that's why when you connect to, say, a bank or an important website with personal information at the server, here's your web browser, here's the bank web server, when you submit your username and password, and this is sent across the internet, you don't want someone in the middle to be able to intercept and find your password. So we normally need some encryption here. And we saw last week that one way to identify the server was using a digital certificate and that gives us a public key and then we could use a public key to get a shared session key between the client and server and encrypt this information, both the username and password or at least the password. So the protocols used for submitting the passwords depend upon the application, but we need to make sure that the passwords themselves are not sent in the clear across a network. We will see another example of how do we submit, for example, when we use secure shell and HTTPS in the next topic. How to respond if no match, we'll see in some examples in the next two or three slides. So now let's look at what an attacker can try to do. They want to find your password. We'll see, sorry, I'll just flick through. We'll talk about, we'll differentiate between two types of attacks here, offline guessing and online guessing. So there's the computer system, there's the normal user. Now there's an attacker, they, in online password guessing, the attacker is accessing the computer system and trying to work out what your password is. For example, trying different passwords. That's the online password guessing. Offline password guessing we'll see later is the case where somehow the attacker has gained some information about, say, some encrypted form of passwords or the password stored in a file and are trying to find your password through alternate means. But online password guessing is when the attacker is using the actual system and trying to guess your password. So if it's a laptop, for example, the attacker is sitting at your laptop and they're trying to log in by trying random passwords or using some information about you to guess a password. In an online password guessing, usually there's limited time for the attacker. So let's say my office computer. I left my door unlocked in my office and it's password protected, my computer. It's got all your marks on there. If a student went up there and tried to log in, they could change their grades for the course. So to do that, so that would be online guessing because you actually go to my computer and try the password, try to guess my password in that computer system. You would normally have limited time to do that because in this case, two or three hours because I'll be back in my office soon. So you only have limited access to the computer system and that means that different attacks or different approaches to securing the system may work compared to later we'll look at offline password guessing. And also with online password guessing, you're actually trying a password on the actual system. Therefore it's very easy for the system to log every attempt. So again on my computer up in the office, it records every attempt, especially every failed attempt at a password. So if I go back to my office at four o'clock today and look at the log of all the failed attempts and I notice something there, then that can help me in at least recognizing that someone's been trying to access my system. So that can be used. Maybe then I could look at the security cameras and see who went into my office at that time so we can use different techniques to track people. So with an online password guessing, the user uses the actual system. Usually there's limited time at which they can make attempts and the attempts or guesses can be recorded or logged. The security of online password guessing depends upon the number of incorrect guesses that are allowed. Usually we may prevent access once a number of incorrect guesses have been made. And also depends upon what's the consequence of too many incorrect guesses. Let's consider those two and consider some examples. Okay, my computer up in the office, when you try to log in, you type in your username, you try to guess my password. If it's wrong, it reports some error and it just shows up the login screen again. And in fact, you can try as many times as you like on my computer upstairs. The same with most operating systems. It doesn't lock you out after you try the wrong password. Even you can go as many times as you like. So in that case, there's no limit on the number of attempts. So there's no consequence of too many incorrect guesses up there. Nothing's, you can just make as many guesses as you like in that case. What about your, you have not you because you're all trustworthy, but someone has stolen someone's ATM card and they go to the ATM and put it in and they start trying pin numbers, try to guess pins, not pin numbers, pins. They try and guess. What happens if they get it wrong? Usually you get three times, then what happens? It swallows your card. The ATM takes your card, you don't get it back. Okay, so in that case, we'd say that's more secure than my computer upstairs because you get three attempts. And therefore, someone can not randomly try pins or they'd have to be very lucky to randomly try three and get the correct one. So that adds more security by limiting the number of attempts and the consequence there is that, okay, from the attacker, they've lost the card, they cannot do anything else. What about another case? Then you, in the military, okay, people in the army, they have a base in some foreign land and every day, every morning, they leave the base, go do their fighting or whatever and when they come back, when they get to the gate, they must say the password for that day, it changes every day and if they say the correct password, they'll let back into the base. If not, they get shot. How many random attempts are you gonna make? Okay, in this case, the consequence is very severe of making the wrong guess. So again, that's a different level of security because the consequence of too many incorrect guesses for most people is considered too much to even try, okay? So, depend upon how many guesses you allow and what's the consequence of the incorrect guess or too many incorrect guesses impacts upon the security of the system. Of course, it also impacts upon the usability. Coming back to our ATM, no one stole your card, you've got your card but you forgot your pin, right? You can't remember because you've got so many different ones. So you go there and you try, yeah, I think it's this one, no wrong number, you try again, you try three times, it's your card and you guess it three times, you get it wrong and it's very inconvenient because now you've lost your card, you need to go to the bank and sign some documents to get it back. So from a normal user's perspective, in this case, limiting the number of incorrect guesses makes it inconvenient to use. So here's this trade-off between security and convenience or usability. The fewer guesses allowed, the more secure, but the more inconvenient it can be for a normal user. So some ways to make a system more secure using against online password guessing, lock a system in your account if too many guesses. So we could do that for Moodle, for example. If you try to log into the Moodle website for this course and you get the password wrong three times, we could set it up so that it locks the account and you can no longer try that username. So that would prevent someone trying to guess my password or one of your passwords and doing something malicious. So locking an account or a system if too many guesses. Same as what your bank does for the ATM, it locks after three guesses. And then you need some manual way to get access. Another approach is to limit the number, or the limit the speed at which you can make guesses. Let's say there's no limit, like my computer upstairs. So you go up to my office upstairs and you can make as many guesses as you like. So you're trying to guess my password. So you wanna try as many as possible. You only have until 4 p.m. When you type in a wrong password on the system, the operating system adds in a delay of two or three seconds before you can attempt again. So it slows you down. It limits the number of attempts you can make in some period of time. And you've seen that probably most operating systems do that. Say on my terminal, if I want to run something as sudo, just sudo ls, then it will prompt me for my password. I type in the wrong password. There was some delay, I'll try again. Type in the wrong password, I'll press enter now. And there's two or three seconds delay before it lets me try again. So this slows down the attacker in that they cannot make many attempts in a short period of time. And in this case if I type it in wrong three times, it reports three incorrect password attempts. But with this, it's not a limit because all I have to do is try again. So there's no limit in this case. It's just the software terminates after three attempts but there's no limits on the number of guesses. I can just keep doing this forever if I want. But it takes me two or three seconds for each attempt. If there was no limit on the time, then I could maybe have a script to automate the process and I could make thousands of attempts each second by just reading a file, a password from a file and trying that automatically. But in this case, we can't. So limiting the speed that the guesses can be made adds to security. But again, makes it inconvenient for the normal user because in that case, if I actually truly forgot my password, then I have to wait two or three seconds before I try again, which is a small inconvenience. What else? Try to find the attacker. That is, if we can log the attempts and I later find out that someone accessed or tried to access my computer, then I can use other methods to try and find out who the attacker was. Ask the secretary who walked into my office, look at video cameras or security cameras and so on. So we can use other techniques to try to find the attacker. If it's accessing across a network, then we can log based or track based upon IP addresses, contact internet service providers and so on. So that increasing the ability to log and to track malicious users limits the effectiveness of those malicious users because they are less likely to try if they know that they can be found out. Final thing, make sure passwords are hard to guess and we'll spend some time on that and looking at some different things about, well, what's a good password? What's a password that's easy to guess and what's hard? I think you know some of them already. That's what we'll look at now. Some way to measure or to analyze the strength of passwords. What is a good password? And we wanna look at it from the perspective of the number of attempts it takes for an attacker to guess your password. So you choose a password and now the attacker has to try and guess what it is. Assuming they don't have any knowledge about you, then they do a brute force attack. Try random passwords until they get yours. So we can look at some ways for measuring the strength of a password. And one way is called entropy. Entropy is a measure of the amount of information some message has and it's used sometimes as an indicator of the strength of a password or a password scheme. By a password scheme, I mean a set of rules that limit how the password can be created. When you register your password for hotmail, the hotmail server usually puts rules on the length of your password and then set of characters that can be in your password. So think of that as a password scheme, the limitation of what characters make up your password. So we can use entropy to indicate the strength of such a scheme. What is entropy? A measure of information in a message. We will not look too much about the mathematics of it, but from the passwords, we can say some password that has entropy of n bits is equivalent to an n-bit key, so binary key at withstanding a brute force attack. What does that mean? Coming back to one of our first lectures, if we have a key, a random binary key and it's four bits long, how many possible keys? How many possible keys? Louder? 16, two to the power of four, 16 keys. Two to the power of four in here. So two to the power of n in general with a n-bit key. And for a brute force attack, the worst case is the attacker has to make 16 attempts to guess your key. On average, it's half as many attempts, but let's look at the worst case for simplicity. So the length of the key indicates the amount of effort it takes for the attacker to guess that key. Now let's look at, well, one way to measure the strength of passwords is try to relate it to the length of keys. A password using just characters A to Z, made up of characters A to Z, how strong is it against a brute force attack measured in terms of bits? And that's what we can use entropy for. So consider a simple case where we use a password made up of just of digits, the digits zero to nine. And so your pin, for example, it's made up usually of four digits, maybe six digits, but a password made up just of numbers zero to nine. A password which is made up of say four digits, how many bits do we need to represent that password? A password like a pin that's made up of four numbers, how many bits do we need to represent that? Or another way, how many possible values are there? Four digits, each digit can be range from zero to nine. So with four digits, we have 10,000 possible values from zero, zero, zero, zero up to nine, nine, nine, nine and any value in between. That's the possible values for our password in this case. 10,000 possible values. How many bits do we need to represent that? 15 sounds good. And let's be, let's now instead of look at an integer number of bits, one way to compare the password strength is look at, okay, let's consider fractions of bits as well. Well, how many bits exactly would log base two of 10,000? Normally when we talk about our bits, we either have an integer number of bits, but let's use entropy as, entropy is the measure of the number of bits needed to represent that password. And once we know that, we can compare it against a normal brute force attack against a binary key. So in this case, log base two of 10,000 is what? 13.28, is that right? 12, 13 point correct. 13.28. What that says is if we have a password which is made up of four digits, then it's equivalent to a binary key that is 13.28 bits long. And a binary key which is 13.28 bits long, how many attempts brute force attack? Well, two to the power of 13.28, 10,000. So we're just relating passwords which usually are not in binary, relating the strength of passwords to a binary key. So we'd say the entropy of this password is 13.28. The higher the entropy, the more secure that password is against a brute force attack because the more guesses will be needed. So we could say our password which is made up of four digits is about as strong as a 13-bit key. It's a little bit stronger than a 13-bit key, okay? So if you choose a four digit password or you choose a random four digit password or you choose a random 13-bit value, the number of attempts an attacker needs to make to guess your password is about the same. Takes about 10,000 attempts, two to the power of 13. So that's how we use entropy. In fact, what we have on the slide here is can now consider a single digit. What's the entropy of just one digit? Well, 3.32, with one digit, how many bits do we need to store one digit? Well, there are 10 possible values, zero through to nine. So log base two of 10, because there are 10 possible values, the entropy of one digit is 3.32. Therefore, the entropy of a four digit password is four times 3.32, which is 13.28. The entropy of a 10 digit password is what? What's the entropy of a 10 digit password? Digits mean any value between zero and nine. 10 digits, what's the entropy of a 10 digit password? Just to summarize, the entropy of a single digit, here digit is a value between zero and nine, is there are 10 possible values? So log base two of 10, which is 3.32. So if we have two digits, then it would be two times 3.32. Because if we had two digits, how many possible values are there? 100. With two digits, either can be zero through to nine. We have 100 possible values, so the entropy is log base two of 100, which is log base two of 10 squared. And log of 10 squared is two times log of 10, which is two times 3.32, 6.64. So any password scheme now that uses just digits, we can easily calculate the entropy, given that we know the entropy of a single digit is 3.32. So 10 digit password is 33.2 approximately. How long does our password need to be about as secure as a 64 bit key? I've got a 64 bit desk key. How long does my password need to be to be the same strength? You've got a calculator about, tell me the exact value. With 64 bit key, all right, let's try a different way. What's the entropy of a 64 bit key? 64. So the entropy of a single digit is 3.32. The entropy of a 64 bit key is 64. So how many digits to get equivalent? 64 divided by 3.32. What is about 20 digits? 20 times 3.32 is, what is it, 63. 66, sorry. So we need about 20 digits in our password to get the same strength against a brute force attack as a 64 bit key. 64 bit keys are not considered strong against brute force attacks. When we spoke about desk, that was the primary limitation of desk. The key length is too short. Nowadays it's recommended to be 128 bits. So we need a very long password if we're using digits to get the same security as what our encryption schemes use against a brute force attack at least. Those examples using just digits, assuming our password was made up just of zero numbers, zero through to nine. We can do the same analysis for different character sets, different alphabets. So if my password is made up just of digits, each digit has an entropy of 3.32. If it's made up just of English letters, we have 26 possible values. Consider just lowercase. Just the lowercase a through to z, then the entropy of a single letter is 4.7. Why? Because log, you can check the log of, in base two of 26 is 4.7. So just a single letter, you need 4.7 bits to represent it. So now if you have a password which, as the answer's here, if you want a password equivalent as our 64 bit key, we'd need 14 letters in our password. 14 times 4.7 is approximately 64. So our 64 bit key is an entropy of 64. Our 14 letter password also has an entropy of 64, approximately. So depending upon how your password is structured, or the scheme that defines how a password is created, we can calculate the entropy of that password scheme or that password. So another one is the printable ASCII characters. ASCII set has 128 different values, but some of those values in the ASCII set are not printable. They are the bell button, the sound on your computer, and characters like backspace and so on, not printable. So the printable ASCII characters, there are 94 normally, 94 different characters, including all the punctuation marks and so on. So if we can make a password from any printable character from the ASCII set, normally you can type them on your keyboard. There's 94 possible values to choose from, because remember it includes both lowercase and uppercase. So there's 52 values, plus the 10 digits, there's 62 values, plus the other 32 values are the punctuation marks. Exclamation mark and so on. Log base two of 94 is 6.55, so in this case, each character has an entropy of 6.55. If your password is 10 characters long, then you get an entropy equivalent or approximately equivalent to our 64-bit key. So this gives us an indicator. If we choose random passwords, depending upon the password scheme, we can compare the strength of those schemes and the length. So at 64-bit random binary value is equivalent in strength as a 20 digit password or a 14 character password when we choose just from the lowercase English letters or a 10 character ASCII password. So we use entropy to compare the strength of different password schemes. Of course, not everyone chooses random passwords. So we'll look after the break at some experiments people have done to try to quantify the entropy of different password schemes and then we'll go through an example of how the Linux operating system stores passwords. Then I think we'll get to the end of this topic. Let's have a break and a 240 will continue on passwords.