Passface Entropy Calculation

TL;DR

Calculating the entropy of a Passface (graphical password) helps estimate its strength against brute-force attacks. This guide explains how to do it, considering image choices and position selection.

Understanding Entropy

Entropy measures randomness. A higher entropy value means more possible combinations, making the password harder to crack. For Passface, we need to consider:

• Number of Images: How many images are available for selection?
• Image Positions: How many positions does the user select in the grid?

Calculating Passface Entropy

1. Determine the Number of Image Choices (N): Count the total number of images a user can choose from. For example, if there are 20 different images available, N = 20.
2. Determine the Number of Positions Selected (P): Find out how many positions in the grid the user is required to select. For instance, if they must pick 3 locations, P = 3.
3. Calculate Combinations with Repetition: Since a user can potentially choose the same image multiple times, we use combinations *with* repetition. The formula is:

   NP

   In our example (N=20, P=3), this would be 20³ = 8000 possible combinations.

4. Calculate Entropy: Use the following formula to calculate entropy in bits:

   Entropy = log2(NP)

   Continuing our example, Entropy = log₂(8000) ≈ 12.94 bits.

5. Account for Position Importance (Optional): If different positions have varying importance (e.g., the top-left corner is more important), you can adjust the entropy calculation. This requires a weighted average based on the probability of an attacker trying each position first.
   • Assign weights to each position representing its likelihood of being guessed.
   • Calculate the weighted average of the logarithms of the number of choices for each position.

Example Calculation

Let’s say a Passface has:

• 15 images (N = 15)
• 4 positions to select (P = 4)

1. Combinations: 15⁴ = 50625
2. Entropy: log₂(50625) ≈ 15.6 bits

Using Python for Calculation

You can use Python to automate the calculation:

import math

def calculate_passface_entropy(num_images, num_positions):
  combinations = num_images ** num_positions
  entropy = math.log2(combinations)
  return entropy

# Example usage:
num_images = 15
num_positions = 4
entropy = calculate_passface_entropy(num_images, num_positions)
print(f"Entropy for {num_images} images and {num_positions} positions: {entropy:.2f} bits")

Important Considerations

• Attacker Knowledge: This calculation assumes the attacker doesn’t know which images are available. If they do, entropy is reduced.
• User Behaviour: Users often choose predictable patterns or easily remembered images, reducing effective entropy.
• Cyber security best practice: Passfaces should be combined with other authentication methods for robust cyber security.