With Graphics Processing Units (GPUs) becoming faster and more reasonably priced, it's becoming important to understand what password entropy is and how it is calculated.
Password entropy is a measurement of how unpredictable a password is.
Password entropy is based on the character set used (which is expansible by using lowercase, uppercase, numbers as well as symbols) as well as password length.
Password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods.
Password entropy is usually expressed in terms of bits:
A password that is already known has zero bits of entropy;
one that would be guessed on the first attempt half the time would have 1 bit of entropy.
A password's entropy can be calculated by finding the entropy per character, which is a log base 2 of the number of characters in the character set used, multiplied by the number of characters
in the password itself.
National Institute of Standards and Technology (NIST) provides the following guidelines for user-selected passwords with 30 bits of entropy:
Use a minimum of 8 characters selected from a 94-character set.
Include at least one upper case letter, one lower case letter, one number and one special character.
Use a dictionary of common words that users should avoid, like a password blacklist.
Don't use any permutations of your username as your password.
Of course password entropy can't be the only thing considered or passwords would be too long, complex and unmemorable.
Best practices involve employing something memorable to the user but not easily guessed by anyone else.
Because password length is one of the most important factors affecting password entropy and overall strength, a longer password can be simpler than a shorter one and still be effective.
We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password thisisapassword would have a possible pool of 26 characters from the English alphabet.
Changing the password to ThisIsAPassword would increase your pool to 52 characters. I made a table below to outline the rest.
Type Pool of Characters Possible
Lowercase 26
Lower & Upper Case 52
Alphanumeric 36
Alphanumeric & Upper Case 62
Common ASCII Characters 30
Diceware Words List 7,776
English Dictionary Words 171,000
Entropy is calculated by using the formula log2(x), where x is the pool of characters used in the password.
So a password using lowercase characters would be represented as log2(26) = 4.7 bits of entropy per character.
So our previous example of thisisapassword would have an entropy value of ~ 70 bits (4.7 * 15 characters), assuming a brute-force algorithm.
However, there is also another way of looking at that password.
We could also think of it as log2(7776)*4 = 51.69 bits of entropy, which makes it a much easier password to guess – it would only take 15 days instead of 19 millennia!
On a mathematical note, to calculate out the number of possible combinations using your calculated entropy value you would use 2x, x being the number of bits of entropy.
Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill
While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!
A single byte can contain up to 8 bits of entropy.
This is the upper limit. As you learn more about your data, the amount of entropy in those 8-byte block goes down.
Oh, all your bytes are all ASCII characters? That means the highest bit must be a 0; you're down to 7 bits of entropy.
No control characters? Of the ASCII set, 0-31 are control characters - tab, enter, bell, end-of-file. That reduces the character further.
alphabetic, lower case only? Now you're reducing the available options hugely.
English word? Not many of those - an entire english word, RANDOMLY selected, may only have about, say, 12 bits altogether, even though the words may have 5 characters.