Friday, October 30, 2015

Measuring Password Strength (Bits of Entropy)

How to measure password Strength ?

Being in the momentum of “the internet of things“ everyone has to have many online accounts nowadays. With all these accounts, users and applications are always in a race to protect their private data from piracy.


There are many techniques to protect data, but having a strong password is ultimately the best defense a user can have to protect their data online. This is, of course, with respect to other factors from the application side such as encryption, https, etc.

The strength of a password comes from a combination of length, complexity, and unpredictability. In order to measure the strength of passwords one has to calculate their bits of Entropy.

In Information Theory, entropy is the average amount of information contained in each message received (in this case, password) and is measured by bits. Here, message stands for an event, sample or character drawn from a distribution or data stream.

Entropy is the standard way to measure the strength of any password. Here is how we can get entropy of any password:

In order to find out the password entropy, we first have to look at two factors:

1- The max length of the password
2- Character set which represents the pool of characters the password can be made from.

We can use the above two factors to determine the number of all possible combinations of a particular password, which equals to:

After getting the number of all possible combinations, we can calculate Entropy by applying the following formula:

For example, let’s say that a certain website allows users to create a password with a max length of 8 characters and it only allows alphanumeric characters.

In this case, the entropy can be calculated as the follow:

Character set = alphabets(a-z, A-Z) + numbers (0-9) = 26+26+10 = 62
Max Length = 8
Therefore

Password bist of Entropy = log2CSML = log2628 ≈ 47 bits

That’s it!!

the more bits of entropy the password has, the harder is to break.

How long does it take for a computer to guess a password?

It depends on how fast the computer is and how strong/weak the password is.

The chart below shows how many days it takes to break passwords from 0-50 bits of entropy. Note that passwords with 36.86 bits of entropy are considered strong.

enter image description here

at
Labels: ,

8 comments:

  1. AliciaSeptember 8, 2016 at 11:33 AM

    It is necessary for the parents to teach the simple ways of ensuring cyber security to their children. It will help preventing irreparable loss due to breach of information on a shared computer.

    ReplyDelete
  2. Security-OnlineOctober 17, 2016 at 4:44 AM

    The article is good, but I'm ready to challenge the notion that the best protection of personal data - is a password. Perhaps it was, but is not that in the distant 2008. Now the hacker skills are so great that a password is not particularly protect all your personal data. That s why more and more people are using the cloud server to store personal and corporate data. Here is the actual protection virtual data rooms for mergers and acquisitions. But this is my opinion)

    ReplyDelete
  3. UnknownJune 3, 2017 at 12:15 PM

    Great post! Really insightful. I have not monetized by blog in any way, I didn’t even know where to begin. but you’ve given some helpful tips.

    Virtual Edge

    ReplyDelete
  4. Muhammad HassanMarch 4, 2018 at 10:31 AM

    No doubt this is an excellent post I got a lot of knowledge after reading good luck. Theme of blog is excellent there is almost everything to read, Brilliant post. Folder Lock COMPUTER App Windows 8 - Don't Spend Time Looking, Read through Exactly about Mobile Desktops In this article create password protected folder

    ReplyDelete
  5. Kevin DellingerJanuary 28, 2019 at 2:03 AM

    I was extremely pleased to uncover this site. I wanted to thank you for ones time for this wonderful read!! I definitely loved every part of it and I have you saved as a favorite to see new information in your blog. Home: Top Nine Quotes On Encryption Software & No Wonder She Said "no"! Learn How To How To Encrypt A Password For Free Persuasively In Nine Easy Steps.

    ReplyDelete
  6. Pawel Co FaddeyDecember 12, 2019 at 4:03 AM

    I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

    ReplyDelete
  7. albina N muroJune 11, 2020 at 3:14 AM

    I have been checking out a few of your stories and i can state pretty good stuff. I will definitely bookmark your blog free instagram likes instantly no survey

    ReplyDelete

Subscribe to: Post Comments (Atom)

Generate a unique N letters word sequence (by using relationship between Factoradic base system and Lexicographic Permutation Order of a String)

Lets say that you want to generate a unique 3 letters code sequence to be used as a primary key for some data recodes. Also let assume ...