A short note on entropy.
Something popped up today regarding estimation of entropy in relation to session IDs. Here’s the example:
- Given a session ID of length 24 and with a character set of 26, what is its potential entropy?
I’m putting this here as a reminder, as I had forgotten and had to look it up.
The standard formula for entropy is H = log_base2(a^b), where a = the alphabet in use and b = the length of the token. In this instance a = 26 and b = 24, and when we apply the result of these to log base 2 we get ~112.8106. So, we have approximately 113 bits of available entropy.
Of course, that’s just a calculation. Often the implementation is quite different.