/info/alibaba/security/passwords

Introduction

Date Created: May 18, 2018
Last Update: Jun 8, 2018

Password entropy is a number that represents how unpredictable a password is expressed in bits.

Password entropy is based up the character set used. The more characters in the character set the higher the entropy. Password entropy predicts how difficult a password would be to crack through guessing.

Password entropy is calculated from the log base 2 of the number of characters in the character set used, multiplied by the number of characters in the password.

How much entropy is required? This depends on the usage of the password. Online attacks that are slower than offline attacks need at least 29 bits of entropy. For a password that protects important data and needs to exist for a long period of time up to 96 bits of entropy are required.

Note: password entropy alone is not a sufficient measurement of the difficulty to crack a password. There are many factors to consider. Develop a password policy for your company that balances the cost to protect data versus the value of the data.

Let's take a look a hypothetical password, calculate its entropy. Then make simple changes to this password to increase entropy and still keep the password easy to remember.

Password Length Charset Size Entropy
robert381tom 12 36 44.5
Robert381tom 12 62 51.2
Robert@381tom 12 95 56.7

How strong do we need our passwords to be? Here is a rule of thumb guide to help with entropy:

Entropy in bits Strength Recommended Comments
< 28 Very weak Do not use
28 - 35 Weak No Don't use on anything worth protecting
36 - 59 Reasonable Yes Fairly secure password for network and company passwords
60 - 127 Strong Yes Can be good for guarding financial information
128+ Very Strong Yes Often overkill. These types of passwords are hard to remember

A good source of material for password entropy is the Wikipedia article: link

Tools for measuring password strength: Password Strength




15220 Main Street, Bellevue, WA 98007
T: 425-528-8500 - F: 425-528-8550 - E: neoprime@neoprime.io

Copyright 2018 NeoPrime LLC