Password entropy is a number that represents how unpredictable a password is expressed in bits.
Password entropy is based up the character set used. The more characters in the character set the higher the entropy. Password entropy predicts how difficult a password would be to crack through guessing.
Password entropy is calculated from the log base 2 of the number of characters in the character set used, multiplied by the number of characters in the password.
How much entropy is required? This depends on the usage of the password. Online attacks that are slower than offline attacks need at least 29 bits of entropy. For a password that protects important data and needs to exist for a long period of time up to 96 bits of entropy are required.
Note: password entropy alone is not a sufficient measurement of the difficulty to crack a password. There are many factors to consider. Develop a password policy for your company that balances the cost to protect data versus the value of the data.
Let's take a look a hypothetical password, calculate its entropy. Then make simple changes to this password to increase entropy and still keep the password easy to remember.
How strong do we need our passwords to be? Here is a rule of thumb guide to help with entropy:
|Entropy in bits||Strength||Recommended||Comments|
|< 28||Very weak||Do not use|
|28 - 35||Weak||No||Don't use on anything worth protecting|
|36 - 59||Reasonable||Yes||Fairly secure password for network and company passwords|
|60 - 127||Strong||Yes||Can be good for guarding financial information|
|128+||Very Strong||Yes||Often overkill. These types of passwords are hard to remember|
A good source of material for password entropy is the Wikipedia article: link
Tools for measuring password strength: Password Strength
Copyright 2018 NeoPrime LLC