{"id":27371,"date":"2024-05-06T14:20:57","date_gmt":"2024-05-06T22:20:57","guid":{"rendered":"https:\/\/www.spokeo.com\/compass\/?p=27371"},"modified":"2024-05-06T14:20:58","modified_gmt":"2024-05-06T22:20:58","slug":"what-to-know-about-password-entropy","status":"publish","type":"post","link":"https:\/\/www.spokeo.com\/compass\/what-to-know-about-password-entropy\/","title":{"rendered":"Password Entropy: How to Know if Your Passwords Are Strong or Not"},"content":{"rendered":"\n

There was a time, just a couple of decades ago, when sensitive data about you was pretty hard to find.  <\/p>\n\n\n\n

Now, of course, we live our lives online, and our sensitive information \u2013 and more \u2013 is frequently stored by the apps and websites we use.  The companies protect that data, in part, by asking us to identify ourselves through passwords when we log in.  That means choosing, and remembering, a whole lot of strong, safe passwords.  There are lots of rules for creating those passwords, but how do you know whether your password is really tough to crack?  Well, there\u2019s an actual measure for that called \u201cpassword entropy,\u201d that can tell you. Here\u2019s how it works, and how to check a password\u2019s strength for yourself. <\/p>\n\n\n\n

What is Password Entropy? <\/h2>\n\n\n\n

The concept of entropy is borrowed from the world of physics.\u00a0 A German physicist named Rudolf Clausius coined the term in 1850<\/a>, as a measure of the degree of randomness or uncertainty in a system.\u00a0 Randomness is bad in some contexts, like management decisions or your kitchen cupboards, but in the case of passwords, it\u2019s essential.\u00a0 Randomness is what makes a password hard to guess, by other humans or (more importantly) by computers.\u00a0<\/p>\n\n\n\n

So, what affects the randomness, and therefore the degree of entropy, in a system?  There are factors that increase a password\u2019s entropy, and others that reduce it.  The next few paragraphs are a simplification, perhaps an oversimplification, but they\u2019re enough to give you a working understanding of the principles involved.  First, we have factors that increase entropy.  Those include: <\/p>\n\n\n\n

Password Length<\/h3>\n\n\n\n

Password length is the biggest single factor that contributes to entropy, and therefore to password strength.  Suppose you\u2019re using a 6-letter password, drawn from the lower-case letters from a to z.  That gives 230,230 possible combinations (there\u2019s a formula for this, but you can just use an online calculator<\/a> to see for yourself).  Increasing to just 8 letters increases that number to over 1.5 million, and 10 letters takes you to over 5.3 million.  Your four-digit bank PIN, on the other hand, yields a trivial 256 possibilities. <\/p>\n\n\n\n

\"rows
Pexels<\/figcaption><\/figure>\n\n\n\n

The Character Set<\/h3>\n\n\n\n

That brings us to another main factor, the number of possible characters in use.  Your bank PIN uses the numerals from 0 to 9, for a total of 10.  The lower-case alphabet gives you 26 possibilities, and the upper-case alphabet adds another 26.  The set of special characters that\u2019s usually available to use in passwords adds another 30.  That gives us a total of 92 possible characters (10+26+26+30).  Now, let\u2019s go back to our calculator. <\/p>\n\n\n\n

If you take an 8-character password from just the 10 numerals, there are only 45 possible combinations.  If you choose that same 8-character password from all 92 of the available characters, now there are over 93 billion<\/em> possible combinations!  That\u2019s why so many passwords now require you to use uppercase and lowercase letters, numerals, and special characters. <\/p>\n\n\n\n

On the opposite side of the ledger, there are factors that reduce password entropy.  Unfortunately, they\u2019re exactly the things that make passwords easier for humans to use.  Some of the most important include: <\/p>\n\n\n\n

Already-Known Passwords<\/h3>\n\n\n\n

Potential hackers already have a pool of hundreds of millions of known passwords at their disposal.\u00a0 They\u2019re the cumulative total of all the data breaches we\u2019ve seen to date, and you can probably remember lots of headlines about those even if you aren\u2019t a regular reader of this blog.\u00a0 People tend to reuse their passwords across multiple sites, and to make many of the same obvious choices when creating one; that\u2019s why you\u2019ll see lists of \u201cworst\u201d or \u201cmost common\u201d passwords<\/a> every year.\u00a0<\/p>\n\n\n\n

Easily Guessable Words and Phrases<\/h3>\n\n\n\n

This is almost, but not quite, the same.  In addition to those \u201cknown-to-be-bad\u201d passwords, we tend to make a lot of choices that are equally easy for hackers to decipher.  That includes joining the word \u201cpassword\u201d itself with the name of the service (resulting in passwords like paypalpassword<\/em> or spotifypassword<\/em>), or using combinations of the names of your kids, parents, or pets. Those are specific to you, at least to some extent (you\u2019re probably not the only Jennifer or Jose to be born in the same year, or have a dog named Rex).  Any attacker who can see your social media accounts can guess those pretty easily. <\/p>\n\n\n\n

How to Calculate Password Entropy<\/h2>\n\n\n\n

Buckle up, we\u2019ve got math incoming!\u00a0 Don\u2019t worry, there are online password entropy calculators<\/a> available for this too, but first, we\u2019ll make our former math teachers happy and show our work.\u00a0 Fittingly, we\u2019ll draw on explanations from an award-winning former math teacher<\/a>.

The equation itself looks like this: E = log2<\/sub>(RL<\/sup>).\u00a0 In this equation E stands for Entropy, L is the length of your password, and R is the range of possible characters to choose from.\u00a0 So the RL<\/sup> in parentheses means your number of characters, to the power of the length of your password, which is the maximum possible number of combinations.\u00a0 The log2<\/sub> part means (deep breath) \u201chow many 2s you need to multiply to get the number in parentheses.\u201d\u00a0<\/p>\n\n\n\n

Let\u2019s pick an easy example to start with.  Suppose your PIN is any 2 of 4 possible numbers.  In this case (RL<\/sup>) is 42<\/sup>, or 4×4, which is 16 possible combinations.  The log2<\/sub> value of 16 is 4, because it\u2019s 2x2x2x2 (four 2s).  Entropy is measured in \u201cbits,\u201d so the entropy of this particular password is just 4 bits. That\u2019s laughably weak, of course, so let\u2019s look at an 8-letter password drawn from the 26 letters of the lowercase alphabet.  Those 26 letters to the 8th power give us 208,827,064,576 total possibilities.  The log2<\/sub> of 208,827,064,576 is 37.6 bits of entropy, which is a big improvement. <\/p>\n\n\n\n

Online security vendor Okta suggests aiming for passwords with <\/a>6<\/a>0 bits of entropy<\/a> or better, and our retired math teacher also considers 60 bits or higher to be adequate for banking <\/a>or other sensitive information.\u00a0 So let\u2019s try again, with a 10-letter password drawing on all 92 of the commonly-available characters.\u00a0 That gives us 43,438,845,422,363,213,824 possibilities, and 65.24 bits of entropy.\u00a0 Bingo!<\/p>\n\n\n\n

Real-world Password Entropy Depends on More than Math<\/h2>\n\n\n\n

Unfortunately, password entropy in any real-world sense depends on more than just the math.  In fact, the underlying math is the easy part.  Why?  Well, let\u2019s suppose the password for your Amazon account was \u201cAmAz0nP@ssword!\u201d.  That\u2019s 15 characters, and it includes upper- and lower-case letters, numerals, and a special character.  That\u2019s good, right?  Sadly it\u2019s not, because \u2013 as we\u2019ve already mentioned \u2013 it\u2019s made up of easily guessable words, with highly predictable substitutions.  It would look solid based on the math, but for practical purposes, its entropy is quite low.  Remember, it\u2019s a measure of randomness<\/em> and unpredictability<\/em>. <\/p>\n\n\n\n

This raises some fine points that aren\u2019t immediately obvious.\u00a0 One is that the math is only straightforward when all of the characters in your password are genuinely random (the kind you\u2019d get if they\u2019re generated by a password management app with a strong algorithm).\u00a0 It works differently if, say, six of those letters form a recognizable word, like Amazon, or even just a dictionary word.\u00a0 Those are easily guessed, and hackers can use what\u2019s called a \u201cdictionary attack<\/a>\u201d to guess them, so they may actually reduce<\/em> the security of your password.\u00a0<\/p>\n\n\n\n

So, are you better off using phrases of real words, or a jumble of random characters? The answer is \u201cit depends.\u201d\u00a0 Some random-character generators use well-known algorithms, which generate predictable outcomes that hackers can exploit.\u00a0 Yet, some combinations of words (a passphrase) can be harder for computers to guess than you\u2019d think.\u00a0 That\u2019s why there are so many techniques for creating stronger passwords, some of which (good news!) even make them easier for humans.\u00a0<\/p>\n\n\n\n

\"checking
Pexels<\/figcaption><\/figure>\n\n\n\n

How to Check Your Passwords for Strength and Safety<\/h2>\n\n\n\n

The theories behind those techniques are hard for experts to agree on, let alone for a layperson to grasp.\u00a0 If you\u2019re curious enough to take a quick look at some of the headache-inducing arguments involved, check out this explainer<\/a> by the creators of one password-entropy calculator, or the debate around a popular XKCD webcomic<\/a> on the subject of password strength.\u00a0\u00a0<\/p>\n\n\n\n

Rather than trying to master the underlying logic or technology (which is a graduate-level topic in itself), it\u2019s easier to do a few quick, simple tests. <\/p>\n\n\n\n