by Adam Brett

What Makes a Password Strong - Calculating Password Entropy

Learning about passwords, and what makes one strong, is a fairly important part of modern computing.

What is Entropy?

Simply put, entropy is the total number of passwords in the pool that you have selected from, assuming that you select from the pool randomly.

It can be expressed in the form:

log2(sizeOf(pool)) * length

For a dictionary based password, the pool is the words in the dictionary you chose from. If that's an actual dictionary, that would be about 170,000, if it's your vocabulary, for most people that's just 3000.

For a lowercase password, it would be the 26 letters a-z, for mixed case, the 52 letters a-zA-Z, and for an alphanumeric password, it would be the 52 letters a-zA-Z, plus the numbers 0-9, for a total of 62. For a totally random password, there are also 33 special characters on a standard keyboard, giving a total available pool size of 95.

An Example

Let's take an example password of: 8NgK03PzZL1.

This password uses uppercase letters (pool of 26), lowercase letters (pool of 26), and numbers (pool of 10). This gives a total pool of 62 characters. It's 11 characters long, which means it has an entropy of log2(26+26+10)*11, or ~65bits, which is expressed as 2^65. This means the total number of passwords is equivilant to 2 x 2 x 2 x 2 ... and so on 65 times. For most purposes is sufficient.

Increasing Entropy

You can increase password entropy by increasing length, or by increasing the character pool.

If we were to change the pool, without changing the length, like so: 8<gK03PzZL1, we now have a pool of: 26 + 26 + 10 + 33 (there are 33 special characters on a standard keyboard), so our entropy is log2(26+26+10+33)*11, the number is now even larger, at ~72 bits of entropy.

Because these are powers of 2, every extra bit of entropy doubles the total number of possible passwords.

If we were to change the length, without changing the character pool, we would also see an increase in entropy, for example: 8NgK03PzZL1w is log2(26+26+10)*12, or ~71 bits of entropy.

If we were to do both, the benefits compound. For example: 8<gK03PzZL1w is log2(26+26+10+33)*12, or ~78 bits of entropy.

Randomness is Important

Passwords must be truly random data from the total available pool in order for it to be secure, and these calculations valid.

For example "horse battery staple" has ~117 bits of entropy: log2(26+33)*20, but is not very secure because:

1) It's vulnerable to a dictionary based attack and 2) is one of the most commonly known passwords on the internet.

In reality, this password should be calculated by log2(number-of-common-dictionary-words)*3, which is about log2(3000)*3 or ~35 bits of entropy.

Why is this Important?

On average, an attacker will only need to attempt half of the available passwords, which means a password with 65bits of entropy only has an effective defense of 64bits, as in powers of 2 one less is half.

The amount of entropy required depends on the purpose of the password. For modern cryptography, 128bits is considered uncrackable by any hardware, excluding quantum computing, which is currently only theoretical. 256bits is considered uncrackable even given what we currently know about quantum computing, though this may change in the future.

Deciding how much entropy you need is a matter of what you're trying to protect, and how motivated your adversary.

In this example, the 65 bits of entropy is probably enough. The total password pool is 2^65. Given that an average laptop can make 1500 guesses per second, which would take ~391 million years to crack with 65 bits of entropy ((2^64) / 1500 / 60 / 60 / 24 / 7 / 52) - remember an attacker on average only needs to check half, which is why we calcualte with one less power of entropy!

Compare that to 128bits of entropy: (2^127)/1500/60/60/24/7/52 which is a minimum of 3.6 million quadrillion years.

Most competent attackers can make 1 billion guesses per second. There are people out there who can make 350 billion guesses per second, so in reality these numbers become smaller faster, a 65bit password could be cracked in ~586 years at 1 billion guesses per second, or 87 weeks at 350 billion per second. At 350 billion guesses per second, a 128bit password would still require multiple quadrillion years.

State actors are capable of guesses at speeds far exceeding this (trillions per second), and are therefore able to crack a 65bit password relatively quickly, but a 128bit password would still require ~1 billion billion years to crack, even at their speeds.

For exclusive content, including screen-casts, videos, and early beta access to my projects, subscribe to my email list below.

I love discussion, but not blog comments. If you want to comment on what's written above, head over to twitter.