yidfomaju Welcome!
I'd be happy to help.
For details, please see: https://spectre.app/blog/2018-01-06-algorithm/#phase-3-your-site-password
There are several stages of entropy, and since I'd rather not make assumptions, I'll explain each:
- The user key: Effectively this constitutes your Spectre identity. It is a 64-byte key which is the output of the SCRYPT key derivation algorithm applied to your Spectre secret and your Spectre user name.
- The site key: Effectively this is a site-scoped key used to derive any site-specific secrets for you. It's a 256-bit authenticated hash.
- The site password: This is the password you'll use to actually log into your site's account. Its entropy depends on the cipher template you've selected for your site password.
The first and second values are cryptographic keys with their given bit sizes. Since every bit in these keys is cryptographically secure, the total entropy is effectively 2 ^ [bit size]
.
The third value warrants some more detail. To determine the entropy, you'll essentially want to look at the chosen password template combine the entropies of each potential character in those templates.
As an example, let's look at the Maximum Security
template (since it's fairly simple): we see the template consists of two potential forms: anoxxxxxxxxxxxxxxxxx
and axxxxxxxxxxxxxxxxxno
, where a
represents any latin letter (upper or lower case), n
represents any digit, o
represents one of 24 symbols, and x
represents a combination set of any of these characters. Consequently, the math for this password's entropy is 52 * 10 * 24 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 + 52 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 10 * 24 = 937,339,719,116,840,996,512,478,233,484,066,816
, which works out to ~119.5 bit
.
The Spectre application also has a built-in entropy checker which can be used to help you determine the entropy for passwords and compare it to hashing performance based on attacker budgets.