Password strength

In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly.

[2] The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication factors (knowledge, ownership, inherence).

In 2019, the United Kingdom's NCSC analyzed public databases of breached accounts to see which words, phrases, and strings people used.

Typically, humans are asked to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or internet website.

However, this is inherently insecure because the person's lifestyle, entertainment preferences, and other key individualistic qualities usually come into play to influence the choice of password, while the prevalence of online social media has made obtaining information about people much easier.

For example, in 2010, the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords much faster.

[5] Elcomsoft invented the usage of common graphic cards for quicker password recovery in August 2007 and soon filed a corresponding patent in the US.

[6] By 2011, commercial products were available that claimed the ability to test up to 112,000 passwords per second on a standard desktop computer, using a high-end graphics processor for that time.

Special key stretching hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place.

A related measure is the base-2 logarithm of the number of guesses needed to find the password with certainty, which is commonly referred to as the "bits of entropy".

Put another way, a password with 42 bits of entropy would require 242 (4,398,046,511,104) attempts to exhaust all possibilities during a brute force search.

Thus, increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker's task twice as difficult.

To find the length, L, needed to achieve a desired strength H, with a password drawn randomly from a set of N symbols, one computes:

For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.

Such a requirement is a pattern in password choice and can be expected to reduce an attacker's "work factor" (in Claude Shannon's terms).

If patterned choices are required, humans are likely to use them in predictable ways, such as capitalizing a letter, adding one or two numbers, and a special character.

Many handheld devices, such as tablet computers and smart phones, require complex shift sequences or keyboard app swapping to enter special characters.

According to Bruce Schneier, most people are good at securing their wallets or purses, which is a "great place" to store a written password.

RFC 4086, "Randomness Requirements for Security", published June 2005, presents some example threat models and how to calculate the entropy desired for each one.

A 2010 Georgia Tech Research Institute study based on unstretched keys recommended a 12-character random password but as a minimum length requirement.

[5][20] It pays to bear in mind that since computing power continually grows, to prevent offline attacks the required number of bits of entropy should also increase over time.

In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware.

[23] Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer (or combination) will be capable of breaking 256-bit encryption via a brute-force attack.

Common guidelines advocated by proponents of software system security have included:[26][27][28][29][30] Forcing the inclusion of lowercase letters, uppercase letters, numbers, and symbols in passwords was a common policy but has been found to decrease security, by making it easier to crack.

Research has shown how predictable the common use of such symbols are, and the US[34] and UK[35] government cyber security departments advise against forcing their inclusion in password policy.

The original author of password complexity rules, Bill Burr, has apologized and admits they decrease security, as research has found; this was widely reported in the media in 2017.

The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds.

However, with the assistance of contemporary GPUs at the time, this period was truncated to just about 9 hours, given a cracking rate of 7 billion attempts per second.

[52] Password complexity rules of enforced symbols were previously used by major platforms such as Google[53] and Facebook,[54] but these have removed the requirement following the discovery that they actually reduced security.

This is because the human element is a far greater risk than cracking, and enforced complexity leads most users to highly predictable patterns (number at the end, swap 3 for E, etc.)

Options menu of the random password generation tool in Bitwarden . Enabling more character subsets raises the strength of generated passwords a small amount, whereas increasing their length raises the strength a large amount.