Password strength: Difference between revisions

This article may require cleanup to meet Wikipedia's quality standards. No cleanup reason has been specified. Please help improve this article if you can. (December 2007) (Learn how and when to remove this message)

Password strength is a measurement of the effectiveness of a password as an authentication credential. The strength of a password is a function of length, complexity, and randomness.^[1]

While passwords serve an essential role in computer security, they must also be reasonable and functional for the end user. Passwords that are too strong will almost certainly be written down, which some consider a security risk.^[2] In contrast, others argue that forcing users to only remember passwords necessitates weak passwords, and thus poses a much greater security risk. After all, most people are good at securing their wallets or purses, which is a great place to store a written password. ^[3]

While using strong passwords lowers overall risk of a security breach, strong passwords do not replace the need for other effective security controls. There are various ways to breach computer security that do not involve passwords, such as software vulnerabilities, phishing, keystroke logging, social engineering, dumpster diving, etc.

The most common practice of measuring password strength is to measure in terms of "bit strength", which is the same method used to measure the strength of encryption.^[4][2] Bit strength simply represents the total number of possible permutations in a password. For example, a password with 8 bit strength has 256 different possibilities.

Passwords are made up of ASCII characters, which include all lower case and uppercase letters, in addition to all numbers and symbols (punctuation included). While every character on a computer technically occupies 8 bits of space, characters used in passwords never use 8 bits of space -- they are limited to only 6.5 bits at a maximum.^[2]

Bit strength can be calculated by taking the total number of possibilities for each character, and multiplying by the over all length. The number of variations per character is contingent on:

• Password policy, which dictates a required composition for a password.
• Information entropy, or randomness of the password.

For example, ignoring entropy for the moment, a password policy that requires lowercase letters, uppercase letters, numbers and symbols results in 95 variations per character, which equals 6.5 bits. If the password is 8 characters long, the bits per character is multiplied by the overall length (6.5 x 8) to produce the overall bit strength (52 bits).

While password policy defines a theoretical limit for the number of variations per character, the science of information entropy is necessary to accurately determine the number of variations per character.

NIST uses the following guidelines for estimating password entropy (ie, randomness)^[4]:

• the entropy of the first character is 4 bits;
• the entropy of the next 7 characters are 2 bits per character
• the 9th through the 20th character has 1.5 bits of entropy per character;
• characters 21 and above have 1 bit of entropy per character;

This leads to findings that in the absence of a password policy, an 8 character password has an 18-bit strength. Yet, even with a password policy that requires at least one number, one symbol, and mixed case, an 8 character password only achieves an estimated 30-bit strength.^[4]

What is a satisfactory bit-strength to protect against password cracking? Some basic benchmarks can be established. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day.^[5] In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days.^[6] Meanwhile, distributed.net estimates that cracking a 72-bit key using current equipment will take about 1,453 years.^[7] No currently expected increase in computer power will be sufficient to break 128-bit or 256-bit encryption. Due to currently known limitations in Physics, no digital computer is capable of breaking 128-bit or 256-bit encryption.^[8] Whether or not quantum computers will be able to do so in practice is still unknown.

As a result, there can be no exact answer for a password strength sufficient to resist brute force attack in practice. Clearly 56-bits is too low, while some may find 64-bits acceptable. NIST recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95 character character set (eg, original ASCII) with a 12 character random password (12 x 6.5 bits = 78).^[4]

Random and entropy are often confused, and this difference is important in choosing passwords. A random sequence is one without a pattern, or alternatively without a generating algorithm, despite the existence of 'random number generators' (see PRNG and Hardware random number generator). For instance, the number pi (3.1415926...) has no discernible pattern, passes statistical tests for randomness, and yet is useless for encryption keys or passwords as it has low entropy. Any particular segment of that sequence is entirely predictable by calculation or lookup of the digits of pi. Entropy in this context requires unpredictability (by an attacker) and pi has none, at least for an enterprising attacker. ^[9]

People are notoriously bad at achieving entropy. In one analysis of over 3 million 8 character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was only used 250,000 times. True entropy would have each character being used about 200,000 times. The most common number used is "1", while the most common letters are a, e, o, and r.^[9]

There are several methods for generating entropy which may improve password strength:

• a pseudo-random number generator (PRNG) is an algorithm, often implemented as a software program, which attempts to implement a random number generator. The quality of these these routines has been quite variable, and they are widely thought unsuitable for use in a security context, as for choosing passwords.^[10] Computer language library routines are often limited in run length (to perhaps 2^32 or 2^64 values before the sequence repeats), and these are wholly inadequate for security use. RANDU is an infamous, very widely used, and very long-lived, incompetent random number routine for IBM mainframe environments. Some operating system calls (eg, /dev/random (though not /dev/urandom) both from the Linux kernel) are rather better. Many others, however, do not pass muster; for example, Windows 2000 and XP has had a flawed PRNG.^[11]
• a cryptographically secure pseudo-random number generator is a PRNG which is said to be suitable for cryptographic use, that is, for circumstances in which security is important. These are often dependent on hardware sources of entropy, such as a hardware random number generator (audio background noise, hard drive fluctuations, the Intel or VIA CPU randomness circuits, etc). Yarrow and Fortuna are software algorithms for managing such entropy for cryptographic or security use.
• Internet sites which use some of the above techniques: Random.org (source is atmospheric noise); Hot Bits (source is radioactive decay of Krypton-85);
• Manual methods of entropy generation are highly unlikely to be adequate (eg, pick a character, pick another character, ...), unless bound to a mechanical system or set of rules (eg, fair dice or the I Ching). Yet, statistical methods for ensuring entropy are quite sound in the negative sense of detecting patterns; although they have historically failed to distinguish between sequences having high entropy and those with merely random appearance. It has been a tricky figure/ground point throughout the history of probability and random number generation. In that light, consider that there are 10 numbers (10.5% of the printable ASCII characters set), 26 uppercase (27.3%), 26 lowercase (27.3%), and 33 symbols (34.7%). If a sequence has this distribution, chances are that it will be a better choice as a password than one without. So a 12 character password with 4 symbols, 3 lowercase, 3 uppercase, 1 number, in addition to a final character (most likely alphanumeric), would appear to be a reasonable choice.

One of the components in determining password strength is the set of permitted characters. The printable characters which can be produced on a US English keyboard include 26 letters (all either upper or lower case), 10 numbers, and 33 symbols (ie, punctuation, grouping, space, etc). Since several ASCII characters vary between national implementations (at least 4, and sometimes 7 characters), there are about 88 printable characters which can be used nearly everywhere.^{[dubious – discuss]}

Systems vary in which characters are allowed in passwords: sometimes not all printable characters are allowed. Some systems do not permit case differences (ie, E is the same as e for password purposes), others prohibit some of the remaining symbols. Space is rarely permitted in passwords.^{[dubious – discuss]} In a system password policy, these are alphabetic (upper and lower case), numeric, and 'special' characters.

In the past few decades, systems have slowly permitted more characters in passwords, but limitations are still common. The reason this matters is that brute force and pattern matching password crackers must exert more effort (Shannon used the termed 'work factor') to find a password. For instance, if the allowed characters are only upper case alphabetic, an 8 character password will have 26^8 possible values (38 bits). With 88 allowed characters, the same password will have 88^8 possible values (52 bits), a very much larger number requiring (on average) a great deal more work (perhaps prohibitive) of a successful brute force or pattern matching attack. In addition, users commonly fail to choose passwords with high entropy (ie, randomly) and so make password cracking easier. For instance, results from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.^[12]

Common guidelines for choosing good passwords are:^{[13][14][15][16]}

• Include numbers, symbols, upper and lowercase letters in passwords
• Password length should be around 12 to 14 characters
• Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.

As with any password, even in the weak category, some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (where certain letters in the password are substituted for numbers) may require a password cracking device to work a few seconds longer. The examples below illustrate various ways that weak passwords are constructed, all of which are based on very simple patterns which result in extremely low randomness: ^[9]

• Default passwords: password, default, admin, etc
• Dictionary words: chameleon, Red Sox, sandbags, etc
• Wordlist with numbers: password1, deer2000, john1234, etc
• Wordlist with simple obfuscation: p@assw0rd, l33th4x0r, g0ldf1sh, etc
• Wordlist doubled: crabcrab, stopstop, treetree, etc
• Sequences: qwerty, 12345678, euidhtns, etc
• Identifiers: jsmith123, 1/1/1970, 555-1234, etc

There are many other ways a password can be weak;^[17] the core principle is that a password should include real randomness and not be trivially derived from a "clever" pattern nor should passwords be mixed with information that identifies the user: that is the purpose of the user name!

The passwords below are good ideas for inspiration for your password. This is true because they help to illustrate ways to follow the common password-strength guidelines. Please remember to not actually use the passwords below; you should always use your own individual passwords.

• 4pRte!ai@3 — mixes uppercase, lowercase, numbers, and punctuation
• Tp4tci2s4U2g! — built from a phrase that a user can memorize: "The password for (4) this computer is too (2) strong for you to (4U2) guess!" — mixes types of character as well
• BBslwys90! — loosely based on a phrase that a user can memorize: "Big Brother is always right (right angle = 90°)!" — mixes types of character as well.

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Password strength" – news · newspapers · books · scholar · JSTOR (March 2008) (Learn how and when to remove this message)

Effective password policy goes beyond simple guidelines and balances competing needs, including:

• Ensuring that passwords are strong enough for the security needs of a customer (see threat modeling)
• Ensuring that the system is usable (for example, that users can remember their passwords)
• Ensuring that passwords are not disclosed and that password policies fit into a larger security policy

Policies which seriously hurt usability—like assigning random strings of characters to users, or forcing users to change passwords frequently—can even harm security by, for example, leading users to rely on the "Remember password" feature in a Web browser. Many also include password aging, requiring users to choose new passwords regularly, commonly after 30 or 45 days. Many users resent such measures, particularly in the absence of effective security awareness training.

The hardest passwords to guess are long, random strings of characters. Forcing users to use system-created random passwords ensures the password will have no connection with that user and will typically not be found in any dictionary. Some operating systems offer to generate a random password when a user changes their password. For a given number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed).

However, such passwords are also the hardest to remember. The imposition of strong random passwords may encourage users to write down passwords, store them in PDAs or cellphones, or share them with others as a safeguard against memory failure, increasing the risk of disclosure.

The following measures can increase acceptance of random password use, if carefully used:

• A training program. Also, update training for those found to disclose passwords.
• Reward users of random passwords by reducing the rate of forced password changes to periods longer than 3 months. Typically 4, 6 or 12 month forced password reset periods work. Spreading out the password change process may have an advantage to human memory processes.
• Compensate for disclosed passwords by building a vigilant account closure process for departing users and/or a process to show each user a last login notification banner.
• Automate a password reset system as a safety net. This will also reduce Helpdesk call volume concerning password resets. However, easily guessable password reset keys bypass the advantages of a strong password system.

Some users develop mnemonic phrases that generate seemingly random passwords —for instance, the first letter of each word. Another way to make "random" passwords more memorable is to use random words (see diceware) or syllables instead of randomly chosen letters.

Any pattern in a password makes guessing (automated or not) easier. As of October 2005, employees of the UK Government are advised to use passwords of the following form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example pinray45). This pattern is called an Environ password^{[citation needed]} and is case-insensitive.

This pattern of alternating vowel and consonant characters causes the password to be pronounceable and thus more memorable. Unfortunately, such patterns severely reduce the password's information entropy, making bruteforce password cracking considerably more efficient.

A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, such that successfully guessing it will require more time than the password cracker is willing to use guessing it. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. A student's password might not be worth more than a few seconds of computer time, while one that could be used to transfer money fraudulently might be worth months of computer time to crack.

But as a practical matter, password strength may meet its strength objectives if the time needed to crack the password exceeds the time investment for cracking the password and/or if the protected information becomes obsolete before a cracking effort completes.

The longer the password and the wider the variety of symbol choices, the more intensive the password cracking effort (or well-matched the Rainbow table) must be to defeat the password, assuming that suitable password hashing and protection methods are in place. Furthermore, not using a single word in and of itself renders brute force attacks far less effective.

Note that some systems do not allow symbols or so-called "special characters" like #, @ and } in passwords, and in addition they may be hard to find on different keyboards. In such cases, simply adding another letter, numeral or other symbol may offer equivalent security: alphanumerics with letters of one case provide a character set of 36, whereas case-sensitive alphanumerics provide a character set of 62. (The use of the "special characters" brings the set to 95.)

Another form of strong password is a made-up or partially random word(s) with varying capitalization and one or more numbers or symbols added. Passwords such as these, while being almost entirely alphabetical and easy for the user to remember, are very long and require a brute force password generator to test all letters in both cases as well as all numbers and keyboard symbols in each digit, as symbols and numbers are present somewhere in the word. As discussed in the below paragraph, this will handily defeat a brute force attack with realistic resources.

Passwords can be found by using so-called brute force password generators. In the simplest case, these are small programs that simply try all possible combinations. A 3 GHz processor can generate approximately 3 million passwords a second. A ten letter password such as '4pRte!ai@3', because there are about 95 keys available, is one of ${\displaystyle 95^{10}}$ (or about ${\displaystyle 2^{66}}$) possibilities, which would take approximately 632,860 years to be found assuming purely random possible password generation. A password containing fifteen random upper-case letters with ${\displaystyle 26^{15}}$ (or about ${\displaystyle 2^{70}}$) possibilities would be just as safe (assuming that that the system in question was case-sensitive and allowed for the use of other symbols), and might be easier for some people to remember and type.

However, certain weak password hashing methods can betray a password much more quickly by reducing the number of combinations needed or increasing the speed at which guesses may be rejected to crack an otherwise "strong" password. Further, certain precomputed tables such as rainbow tables can increase the cracking speed considerably.

A formula which calculates the number of possible passwords is: ${\displaystyle \mathrm {maximumCombinations} =\mathrm {nrAvailableChars} ^{\mathrm {PasswordLength} }}$. Using only the 26 lowercase letters and a password length of 7 characters the number of combinations is relatively small: ${\displaystyle 26^{7}=8.03}$ billion combinations. This may appear large to some, but in a time when common computers can generate 3 million passwords a second, it will only take 45 minutes to find the password.

Passwords longer than 7 characters using non-dictionary words are therefore to be preferred in an attempt to use 'good' passwords. However, the majority of computer users don't observe such precautions, in part because they are hard to remember.

A simple example can be used to investigate the resistance of passwords to brute force search.^[18] Experimenting with this program will make clear that a password such as apple is very easy to discover, since it can be found in less than 30 seconds by an exceptionally simple approach.

A rainbow table is a pre-computed table that greatly speeds up a search for a password with a given hash value. It is specific to one hash function, and usually restricted to passwords of a certain length and sometimes character set, e.g. alphanumeric passwords of up to 8 characters hashed by MD5. A table for a given range of passwords may be made larger to speed up testing or smaller to save space. Comprehensive rainbow tables require intensive computation to produce, but need only be calculated once for a given hash function and password range, and are available for many hash functions for passwords of up to about 8 characters.

Factors to consider

• Investment in computer time
• Parallel computing team coordination
• Raw patience of a determined computing effort
• Predictive accuracy
• Encryption type
• Storage space
• Distribution or purchase costs

Rainbow Table Defenses

• For users
  • Use passwords longer than those covered by commonly available tables.
  • Use characters not covered by commonly available tables.
  • Avoid the use or exceed the useful length of old hashing methods.
• For system designers
  • Protect password hashes against capture.
  • Use a salt, which gives every installation or password a more or less unique hash function.

Computer users are generally advised "never write a password down anywhere, no matter what" and "never use a password for more than one account." These maxims, while sound in theory, ignore the reality that an ordinary computer user may have dozens of password-protected accounts. The multitude of accounts often ends up with users having the same password everywhere. A user's attempt to comply will often result in many forgotten passwords, even for important accounts.

If passwords are written down, they should never be kept in obvious places such as address books, Rolodex files, under drawers or keyboards or behind pictures. Perhaps the worst, but all too common, method is a note near the computer. Better locations are a safe deposit box or a locked file approved for information of comparable sensitivity to that protected by the password. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to use a single password for low security accounts and select separate, strong passwords for a smaller number of high-value applications such as online banking. Manual or offline forms of this approach are also in use. For example, a phone directory may be used to keep a map between computer accounts and password hints.

The problem of password overload is quite real. Certain IT professionals may manage from 25 to 250 privileged passwords at any one time. In such cases, some safe storage area for password hints, private key or encrypting password become unavoidable.

At a 2005 security conference, an expert from Microsoft was quoted as saying: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."^[19] Security expert Bruce Schneier agreed: "I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."^[20]

Whether it is worse to use weak passwords that are memorized or strong passwords that are written down can provoke fierce debate among experts. Practical security often requires balancing conflicting imperatives such as security requirements and human factors.

The problem was addressed in an interesting way by Steve Gibson during his "Security Now" podcasts with Leo Laporte; he suggested creating not a password, but a password algorithm that could be universally applied to a company name or other unique indicator. A simple algorithm, such as using every other letter from a name, would generate the password wkpda for a Wikipedia password; although this example is a fairly low-security password, minor variables to include numbers, capitalization and symbols can generate a password which is seemingly random, difficult or impossible to remember, but easy to re-generate at any time.

Rather than writing the passwords themselves, some write lists of cryptic clues to their own passwords that have relevance through personal experience. For example, if your favorite movie was Terminator and your cat's birthday was 2007-04-10 you could describe the password “terminator0410” as “Favorite movie cat is born without years”.

In case that it may happen that you need to type the password while being abroad on a different PC, then consider that the PCs abroad may have a different keyboard layout than yours, and you should avoid passwords containing characters that are not present in other keyboard layouts and key patterns that are based on physical location on the keyboard.

A password policy is a set of designed parameters, often controversial, that ensure:

• Implementation of strong passwords
• Reasonable passwords for the user population

For example, password expirations are a topic often covered by password policies. Password expriations serve two purposes:^[21]

• Cracking: Considering that the time to crack a password may be 100 days, expirations that occur every 90 days ensure insufficient time to crack the password.
• Compromise: In the event a password is compromised, changing it will cut off access to the attacker.

Some argue, however, that password expirations have become obsolete, since:^[22]

• Simplicity: Asking users to frequently change passwords encourages simple, non-resilient passwords.
• Cracking: In general, passwords can either be cracked in a matter seconds/minutes/days, or in a matter of decades. 30/60/90 day password changes do not make sense in that context: either change daily or never.

It is also possible for equipment, located perhaps in a van parked outside a building, to display the contents of screens in the building and intercept data sent to printers by picking up leaked electromagnetic radiation (see TEMPEST). Where the greatest security is required it is possible to protect locations against this type of attack, but it is not straightforward and must be done by expert professionals. One protection is to ensure that passwords are never displayed on screen under any circumstances, either when entering them or when creating lists or doing system maintenance.

Obtaining passwords by psychological manipulation of users described as social engineering. An attacker might telephone a user and say "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" Systems administrators and other support staff will very rarely, if ever, need to know a user's password in order to perform their jobs. System administrators with "root" or superuser privileges can change the users' passwords without their permission, so they have no need whatsoever to ask for it. In addition, they will go out of their way not to ask for a password, precisely because they do not want to encourage the habit of giving passwords to anyone. Users do not generally appreciate that any of this is so, and are thus too often vulnerable to social engineering. Passwords should only be given to people who are known to the user and authorised to know the password.

Password Betrayal is a method that takes advantage of a mixed mode technique. It uses the combined effect of differing strengths of password hashing and people's habit re-using the same password many times. A classic example of password betrayal would be a person re-using the same password on two independent computer systems. On one computer system the strong password is strongly protected. But on the other computer system the password protection is easily defeated. The under-protected password is then re-used with other accounts known to belong to the same person. This password capture method can work even if the password is a strong or complex password choice.

Single sign-on solutions can be an advantage in reducing the risk of password betrayal. However, a person may access separate systems with differing password encryption strengths, password complexity rules, single sign-on product vendors and computer security vulnerabilities.

To help, a person can keep an index of which password is in use with multiple accounts. This strategy can mitigate this risk to some extent. The password use index allows the person to change groups of accounts with identical passwords as needed. But, a password use index should only contain obscure hints rather than actual passwords. Care should be taken to protect a password use index from easy duplication, sharing, exposure or capture.

• Choosing Good Passwords — A User Guide.
• Password Policy Guidelines.
• Examples of common (and hence weak) passwords
• The Memorability and Security of Passwords — Some Empirical Results (Study done by Cambridge University Computer Laboratory)
• Bruce Schneier (December 14, 2006). MySpace Passwords Aren't So Dumb.
• Rainbow tables
• Simple rules for choosing a good password
• How to Write Better Passwords
• SecurityStats's password strength meter
• Microsoft's Javascript password strength meter
• CertainKey's password strength meter, which includes information entropy (in bits) as a criterion of sufficient randomness
• RFC 4086: Randomness Requirements for Security

• SuperGenPass hashes users' "master password" with domain to create a unique password per domain
• Choose A Password password generator