-
Notifications
You must be signed in to change notification settings - Fork 0
Entropy
What makes a good password?
- unique: a password should never be reused in different security contexts.
- unpredictable: the attacker should not be able to improve his odds over random guessing.
- long: the strength of a password is exponential with length iff it is unique and unpredictable.
If your password is ever exposed and makes its way into a cracker dictionary, it's strength becomes zero: game over. This applies to any password used as an example of a password. xupuvlysvzptzcupqcrr9d3ta76p20i was an excellent password, (159 bits of entropy) until I published it just now. Now it is next to worthless. (Ok. I know it probably won't make it into very many dictionaries, but don't use it, just in case.)
Common password strength meters assume a zero-order model of entropy1, i.e. each character in the password is statistically independent of every other. This means that given an alphabet A, the entropy of the password is log_2(|A|) bits per character. This model will always over-estimate the entropy of a password selected by a human, but does approximate a password randomly generated from a "good" random number generator. For example, it suggests that for A = lowercase letters + space |A|=27, H = log_2(27) = 4.75 bits per character. but "english words", or the so-called "passphrase" like "correct horse battery staple", Shannon estimated the real entropy at 2.3 bits per character. So "correct horse battery staple" has at most 64 bits of entropy, rather than the zero-order estimate of 133 bits. "this is fun" gets at most 25 bits instead of 52.
If you do actually use the "correct horse battery staple" algorithm (don't use this site: no https, javascript Math.random() is very bad), your word selection must be unpredictable. XKCD suggests that this password has 44 bits of entropy (not 64). This number may have been derived from selecting 4 words randomly from a list of 2^11 (2048) possible words. It is fairly easy to obtain dictionaries with 2^14 (16384) words that most people know or can remember. Four words from this "alphabet" would give 4*14 = 56 bits.
Approaching unpredictability as a password cracker, I would (of course) use the large password lists that have been exposed over time, and (of course) I would use the best rule sets that other crackers have created. So if your password is in a cracking dictionary, or can be derived from a word in a cracking dictionary by one of those rules, it is predictable: game over. As a highly motivated cracker, I would also carefully analyze those password lists looking for patterns that I can use to make new or better rules.
This is why you never want to use a padding strategy on a password that is stored where a cracker might get to it, unless it is long and you know that it is hashed with a slow hash function.
Given a unique, unpredictable password, length has a huge effect on how long it takes to crack a password. Given a unique, unpredictable password, a cracker will be forced to try a brute-force attack. If your password, in 2013, is less than 9 or 10 characters (64 bits), a leaked hash means it can quite reasonably be cracked by a motivated adversary. 80 or more bits (e.g. 14 character alphanumeric) is probably safe for a while. A 20-character random alphanumeric password (119 bits) is probably safe for a few trillion years. 32 characters (190 bits) is more than any of us need to worry about. Adding a few symbols to the alphabet helps some, but not as much as length: log_2(62^32) = 190. log_2(95^32) = 210. Neither would be cracked by naive brute force before the sun goes dark. (62 = 26+26+10: alphanumeric ascii, 95 = 62+33 printable ascii, but very few web sites will let you use all 33 special characters.)
[1] http://arstechnica.com/security/2013/05/its-official-password-strength-meters-arent-security-theater/ [2] http://arstechnica.com/security/2013/05/why-intels-how-strong-is-your-password-site-cant-be-trusted/