<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Amodh</title>
    <description>The latest articles on DEV Community by Amodh (@amodh).</description>
    <link>https://dev.to/amodh</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015419%2Fb63b85b1-f7ae-4a66-838c-c6cd32839c3d.jpg</url>
      <title>DEV Community: Amodh</title>
      <link>https://dev.to/amodh</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/amodh"/>
    <language>en</language>
    <item>
      <title>Understanding Shannon entropy: A brief into quantifying Information</title>
      <dc:creator>Amodh</dc:creator>
      <pubDate>Mon, 06 Jul 2026 18:01:43 +0000</pubDate>
      <link>https://dev.to/amodh/understanding-shannon-entropy-a-brief-into-quantifying-information-15a4</link>
      <guid>https://dev.to/amodh/understanding-shannon-entropy-a-brief-into-quantifying-information-15a4</guid>
      <description>&lt;p&gt;How randomness became one of the simplest signals in modern data security.&lt;/p&gt;

&lt;p&gt;When we hear the word &lt;strong&gt;entropy&lt;/strong&gt;, most of us think of thermodynamics. Surprisingly, the same mathematical concept quietly powers many security systems used by modern software companies.&lt;/p&gt;

&lt;p&gt;It isn't used to encrypt data and neither identify secrets with absolute certainty.&lt;/p&gt;

&lt;p&gt;Instead, it answers a much simpler and computationally inexpensive question: &lt;strong&gt;Does this string look unusually random?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;That single question turns out to be incredibly useful when scanning millions of log entries, chat messages, API payloads, and source code files.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;What exactly is Shannon entropy?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;One of the easiest ways to think about Shannon entropy is as a score assigned to a sequence of characters.&lt;/p&gt;

&lt;p&gt;If the characters follow a predictable pattern, the score is low. If they appear highly random, the score is high.&lt;/p&gt;

&lt;p&gt;For example, strings like &lt;code&gt;Rahul&lt;/code&gt;, &lt;code&gt;Hyderabad&lt;/code&gt;, or &lt;code&gt;India&lt;/code&gt; have relatively &lt;strong&gt;low entropy&lt;/strong&gt; because their character patterns are easy to anticipate. On the other hand, strings like &lt;code&gt;AD#33@&lt;/code&gt;, &lt;code&gt;Sk.Live.9981&lt;/code&gt;, or &lt;code&gt;TNF33421&lt;/code&gt; have &lt;strong&gt;higher entropy&lt;/strong&gt; because their characters appear much less predictable.&lt;/p&gt;

&lt;p&gt;The more mixed up and less predictable the characters become, the higher the entropy.&lt;/p&gt;

&lt;p&gt;That doesn't automatically mean the string is important. It simply means the string looks statistically unusual and may deserve a closer look.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Why would companies care about random-looking strings?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Imagine a system scanning application logs and coming across the following values.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;order_number=12345
token=Qx7P1mZa92LkEf8r
ref=7F29ACD83B11E2
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Even without knowing what these values represent, most of us instinctively recognize that they don't all look the same.&lt;/p&gt;

&lt;p&gt;An entropy calculation attempts to quantify that intuition.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;order_number=12345
→ Low entropy
→ Probably harmless

token=Qx7P1mZa92LkEf8r
→ High entropy
→ Suspicious

ref=7F29ACD83B11E2
→ Medium/High entropy
→ Could be a generated reference ID
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The entropy score doesn't make the final decision. Instead, it acts as a &lt;strong&gt;lightweight suspicion score&lt;/strong&gt; that helps determine whether a value deserves further inspection.&lt;/p&gt;

&lt;p&gt;This is why Shannon entropy is typically used as one signal inside a much larger detection pipeline rather than as a standalone system.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Does high entropy always mean a secret?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;This is probably the biggest misconception.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;High entropy does not mean a string is confidential.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It simply means the string is statistically less predictable.&lt;/p&gt;

&lt;p&gt;Many perfectly harmless values have high entropy, including UUIDs, random database identifiers, cache keys, session IDs, generated filenames, and hashes of public data.&lt;/p&gt;

&lt;p&gt;Likewise, many confidential values can have surprisingly low entropy.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;password=Summer2024
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That password is clearly sensitive.&lt;/p&gt;

&lt;p&gt;Yet it isn't particularly random.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Entropy measures randomness, not sensitivity.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This distinction is what makes entropy useful, but also why it should never be used on its own.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;So where does entropy actually fit in?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;In real production systems, entropy is almost never used by itself.&lt;/p&gt;

&lt;p&gt;Instead, it becomes one component inside a larger sensitive-data detection pipeline.&lt;/p&gt;

&lt;p&gt;A typical pipeline might combine regular expressions, dictionary matching, checksum validation, known token prefixes, contextual analysis, and Shannon entropy.&lt;/p&gt;

&lt;p&gt;Conceptually, the workflow looks something like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Incoming Log -&amp;gt; Regex Detection -&amp;gt; Dictionary Matching -&amp;gt; Checksum Validation -&amp;gt; Entropy Score -&amp;gt;Final Confidence Score
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Each stage contributes evidence before the system decides whether something is likely to contain sensitive information.&lt;/p&gt;

&lt;p&gt;Entropy simply strengthens that decision.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;How do large companies use this in practice?&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;Organizations processing millions—or even billions—of log entries cannot manually inspect every value flowing through their systems.&lt;/p&gt;

&lt;p&gt;Instead, they build automated pipelines that attempt to identify sensitive information before it gets stored, indexed, shared, sent to monitoring platforms, or displayed on dashboards.&lt;/p&gt;

&lt;p&gt;Within these pipelines, Shannon entropy helps surface values that &lt;em&gt;look&lt;/em&gt; like API keys, access tokens, JWTs, OAuth tokens, encryption keys, password hashes, payment-related identifiers, or random secrets accidentally pasted into logs.&lt;/p&gt;

&lt;p&gt;Notice the wording here.&lt;/p&gt;

&lt;p&gt;The system isn't concluding that these values are secrets.&lt;/p&gt;

&lt;p&gt;It's simply increasing the confidence that they deserve closer inspection.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What might this look like in a codebase?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Many companies implement a small utility that computes a normalized Shannon entropy score for a given string.&lt;/p&gt;

&lt;p&gt;That score is then passed to a larger security rules engine instead of making decisions by itself.&lt;/p&gt;

&lt;p&gt;The architecture often looks something like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Application -&amp;gt; Log Scanner -&amp;gt; Entropy Calculator -&amp;gt; Security Rules Engine -&amp;gt; Alert / Redaction / Block
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The entropy calculator is simply another reusable component inside the overall detection pipeline.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;strong&gt;Some questions I had while learning about this&lt;/strong&gt;
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Do all companies use Shannon entropy?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not necessarily, many security products and internal security platforms use entropy-based heuristics, especially for secret detection, data loss prevention, and log redaction.&lt;/p&gt;

&lt;p&gt;However, there isn't a universal standard.&lt;/p&gt;

&lt;p&gt;Some organizations rely heavily on entropy, while others place more emphasis on contextual analysis, machine learning, proprietary heuristics, or a combination of several techniques.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does a high entropy score always indicate a valuable or confidential string?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not at all. A randomly generated UUID may have high entropy while being completely harmless.&lt;/p&gt;

&lt;p&gt;On the other hand, a password like &lt;code&gt;Summer2024&lt;/code&gt; has relatively low entropy but is still highly confidential.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Entropy is a heuristic, not proof.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It provides another signal to help a detection system make better decisions, but it should never be treated as definitive evidence.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bonus point- Was this names after Claude Shannon? The same Clause that Anthropic's AI is named after?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes! Anthropic's AI assistant, Claude, is named after &lt;strong&gt;Claude Shannon&lt;/strong&gt;, the mathematician and electrical engineer widely regarded as the father of information theory.&lt;/p&gt;

&lt;p&gt;Another day, another concept simplified!&lt;/p&gt;

&lt;p&gt;Shannon introduced the concept of information entropy in his landmark 1948 paper, &lt;em&gt;A Mathematical Theory of Communication&lt;/em&gt;. His work laid the mathematical foundation for modern data compression, cryptography, digital communications, and many other areas of computer science.&lt;/p&gt;

&lt;p&gt;While today's AI models don't generate responses by directly computing Shannon entropy, the name "Claude" serves as a tribute to one of the most influential figures in information theory.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Final thoughts&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Before reading about Shannon entropy, I assumed it was some sophisticated technique for identifying secrets.&lt;/p&gt;

&lt;p&gt;It turns out the idea is much simpler.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Shannon entropy isn't a secret detector. It's a randomness detector.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;On its own, it cannot determine whether a string is confidential. But when combined with regular expressions, contextual analysis, dictionaries, and checksum validation, it becomes an inexpensive yet surprisingly effective signal inside modern security systems.&lt;/p&gt;

&lt;p&gt;Sometimes, asking &lt;strong&gt;"Does this string look unusually random?"&lt;/strong&gt; is far more practical than trying to answer &lt;strong&gt;"Is this definitely a secret?"&lt;/strong&gt;—especially when you're scanning billions of strings every day.&lt;/p&gt;

</description>
      <category>algorithms</category>
      <category>computerscience</category>
      <category>data</category>
      <category>security</category>
    </item>
    <item>
      <title>Understanding the Luhn Algorithm: Why your browser knows a card number is invalid before the bank does</title>
      <dc:creator>Amodh</dc:creator>
      <pubDate>Sat, 04 Jul 2026 19:07:08 +0000</pubDate>
      <link>https://dev.to/amodh/understanding-the-luhn-algorithm-why-your-browser-knows-a-card-number-is-invalid-before-the-bank-147</link>
      <guid>https://dev.to/amodh/understanding-the-luhn-algorithm-why-your-browser-knows-a-card-number-is-invalid-before-the-bank-147</guid>
      <description>&lt;p&gt;While making an online payment the other day, I accidentally mistyped my card number. The website rejected it immediately, even before there was any indication that it had contacted the issuing bank.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which lead to the question&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;How can a software or a portal determine that a number is invalid without querying a database?&lt;/p&gt;

&lt;p&gt;The answer lies in one of the simplest and most elegant checksum algorithms ever designed and that I recently got to know about- the &lt;strong&gt;Luhn algorithm&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is the Luhn Algorithm?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The purpose of the Luhn algorithm is &lt;strong&gt;not&lt;/strong&gt; to verify that a number (note: here I am considering any reference number/credit card number, etc when I say number) exists.&lt;/p&gt;

&lt;p&gt;Instead, its purpose is to detect whether a number has been &lt;strong&gt;typed or transmitted correctly&lt;/strong&gt; by verifying its checksum (Assuming that the human inputting the number might mistype a digit or two)&lt;/p&gt;

&lt;p&gt;It acts as a fast, inexpensive first line of validation before any network request or database lookup is performed.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Assuming that it is primarily used for Credit card number validations, does this validation only work for 16-Digit Numbers?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No.&lt;/p&gt;

&lt;p&gt;Although it is commonly associated with payment card numbers, the Luhn algorithm works for identifiers of &lt;strong&gt;any length&lt;/strong&gt;, provided they contain a check digit (the final digit of any number).&lt;/p&gt;

&lt;p&gt;Its design is completely independent of the number of digits.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;When we day "number is valid", what Does "Valid" actually mean?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This is perhaps the most common misconception.&lt;/p&gt;

&lt;p&gt;Passing the Luhn algorithm &lt;strong&gt;does not&lt;/strong&gt; mean that the identifier exists in a databse and holds some value against it.&lt;/p&gt;

&lt;p&gt;It simply means the identifier is &lt;strong&gt;structurally valid&lt;/strong&gt; according to the checksum.&lt;/p&gt;

&lt;p&gt;In other words, the number is &lt;em&gt;plausibly&lt;/em&gt; valid and has been inputted correctly by the user.&lt;/p&gt;

&lt;p&gt;A number can satisfy the Luhn algorithm even if it has never been issued by any institution.&lt;/p&gt;

&lt;p&gt;To determine whether an identifier actually exists, the issuing organization must still perform its own database lookup and authorization checks (which is honestly a story for another time).&lt;/p&gt;

&lt;p&gt;The Luhn algorithm is therefore best thought of as the &lt;strong&gt;first and cheapest filter&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do institutions intentionally generate numbers that satisfy Luhn?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes.&lt;/p&gt;

&lt;p&gt;When an organization generates an identifier that uses the Luhn algorithm, it deliberately computes the final digit—known as the &lt;strong&gt;check digit&lt;/strong&gt;—so that the complete number satisfies the checksum.&lt;/p&gt;

&lt;p&gt;The check digit is not random; it is calculated.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The internal working&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Starting from one end of the number (the direction depends on whether the identifier has an odd or even number of digits), every alternate digit is multiplied by &lt;strong&gt;2&lt;/strong&gt;, producing a repeating multiplication pattern: Assume the below pattern&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;2 1 2 1 2 1 ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If doubling a digit produces a two-digit result (for example, &lt;code&gt;8 × 2 = 16&lt;/code&gt;), the digits of the product are added together (&lt;code&gt;1 + 6 = 7&lt;/code&gt;). This is equivalent to subtracting &lt;strong&gt;9&lt;/strong&gt; from any doubled value greater than &lt;strong&gt;9&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Finally, all transformed digits are summed.&lt;/p&gt;

&lt;p&gt;If the total is divisible by &lt;strong&gt;10&lt;/strong&gt;, the identifier passes the checksum. &lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why the &lt;code&gt;2-1-2-1...&lt;/code&gt; Pattern?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The pattern is not arbitrary.&lt;/p&gt;

&lt;p&gt;Doubling every alternate digit creates a transformation in which every decimal digit maps to a unique output after digit reduction (Every single-digit number maps to a unique single-digit value after the Luhn transformation: 0→0, 1→2, 2→4, 3→6, 4→8, 5→1, 6→3, 7→5, 8→7, and 9→9, ensuring that no two different digits produce the same output.). Which might not have been possible if any other number other than 2 would have been used. &lt;/p&gt;

&lt;p&gt;This uniqueness allows the algorithm to detect all single-digit errors and most adjacent transposition errors.&lt;/p&gt;

&lt;p&gt;Alternative multiplication patterns such as &lt;code&gt;3-1-3-1&lt;/code&gt; or &lt;code&gt;4-1-4-1&lt;/code&gt; do not preserve this property, making them less effective at error detection.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why is the checksum based on divisibility by 10?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The designers could have chosen any modulus. Then why 10?&lt;/p&gt;

&lt;p&gt;They chose &lt;strong&gt;10&lt;/strong&gt; because decimal numbers are what humans naturally work with, and checking whether a sum is divisible by &lt;strong&gt;10&lt;/strong&gt; is computationally trivial:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;sum % 10 == 0
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Using modulo 10 makes both the implementation and the explanation remarkably simple. This is why the Luhn's algorithm is also called the modulo 10&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why not simply store every issued identifier in a database?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Because the goals are different.&lt;/p&gt;

&lt;p&gt;A database answers the question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;"Does this identifier exist?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The Luhn algorithm answers a cheaper question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;"Could this identifier even be valid?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;By rejecting obvious typing mistakes locally, applications avoid unnecessary database queries and network requests.&lt;/p&gt;

&lt;p&gt;This improves responsiveness and reduces load on backend systems.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;When should an organization use the Luhn Algorithm?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The Luhn algorithm is a design choice, not a requirement.&lt;/p&gt;

&lt;p&gt;It is most useful when identifiers are &lt;strong&gt;frequently entered manually&lt;/strong&gt; and there is value in detecting accidental typing errors before performing an expensive lookup.&lt;/p&gt;

&lt;p&gt;Whenever humans are expected to repeatedly type long numeric identifiers, adding a single calculated check digit can dramatically improve the user experience while reducing unnecessary backend work.&lt;/p&gt;

&lt;p&gt;So this is how a simple typo while making an online payment led me down a rabbit hole into one of the most elegant algorithms I've come across.&lt;/p&gt;

</description>
      <category>algorithms</category>
    </item>
  </channel>
</rss>
