And the entropy of the password 0b0 is only a single bit - if the attacker knows you've used a single-bit password. Hashed into the SHA-256 space that's only a 1:2^256 chance of someone colliding with it. Still, is that a password you'd set?
What does that have to do with the output of the password in terms of brute-force guessing? Aren't you kind of assuming that an opponent won't try a broad dictionary attack? Equal distribution of hash outputs fundamentally assumes equivalent distributions of hash inputs, and that's not true for the distributions of common passwords.
Again - everyone knows the passphrase patterns everyone uses, everyone knows the password transformations everyone follows (eg l33t) and overall those patterns are significantly weak against attack because of this public knowledge. By those algorithm, with knowledge of salts/etc those passwords are very weak.
Should you use a song, or a slight modification, or a l33t transformation? Certainly not - if the input space isn't uniformly distributed across the input space, the probability of hitting pay dirt definitely isn't uniformly distributed across the output space.
Even the class of "valid transformations of sensical English sentences" is not an equal distribution because of the above. If you can compress a language you can attack it, because by the assumption of compression the data is not at its minimum entropy. Maybe not feasibly if you're lucky - but don't bet on it just because Webster's is big.
What are you going on about? Your giant post did nothing to refute the point that an attacker doesn't know you are using 1 word vs 4 words vs 12.
Also, you seem to imply that there is a distinguishable difference in sha1 outputs of good random inputs and English word inputs, which violates a security property of cryptographic hashes. So there is a lot of fame to be had if you can prove that.
What does that have to do with the output of the password in terms of brute-force guessing? Aren't you kind of assuming that an opponent won't try a broad dictionary attack? Equal distribution of hash outputs fundamentally assumes equivalent distributions of hash inputs, and that's not true for the distributions of common passwords.
Again - everyone knows the passphrase patterns everyone uses, everyone knows the password transformations everyone follows (eg l33t) and overall those patterns are significantly weak against attack because of this public knowledge. By those algorithm, with knowledge of salts/etc those passwords are very weak.
Should you use a song, or a slight modification, or a l33t transformation? Certainly not - if the input space isn't uniformly distributed across the input space, the probability of hitting pay dirt definitely isn't uniformly distributed across the output space.
Even the class of "valid transformations of sensical English sentences" is not an equal distribution because of the above. If you can compress a language you can attack it, because by the assumption of compression the data is not at its minimum entropy. Maybe not feasibly if you're lucky - but don't bet on it just because Webster's is big.