This month we are talking passwords,

Password strength is a measure of the effectiveness of a password in resisting guessing, brute force cracking, dictionary attacks or other common methods. Usually strength can be measured by how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. This measure of strength is called Entropy.

Password entropy is based on the character set used (which is expansible by using lowercase, uppercase, numbers as well as symbols) as well as password length.

Password entropy is usually expressed in terms of bits: A password that is already known has zero bits of entropy; one that would be guessed on the first attempt half the time would have 1 bit of entropy. A password’s entropy can be calculated by finding the entropy per character, which is a log base 2 of the number of characters in the character set used, multiplied by the number of characters
in the password itself.

In the 2016 Australian Information Security Manual (Controls), the Australian Signals Directorate recommends:

• A minimum length of 13 alphabetic characters with no complexity requirement; or
• A minimum length of 10 characters, consisting of at least three of the following character sets:
– lowercase alphabetic characters (a–z)
– uppercase alphabetic characters (A–Z)
– numeric characters (0–9)
– special characters.

The no complexity requirement is of interest, and here’s why, Entropy is your best defence. Let’s look at some examples using the table below as a guide:

  • < 28 bits = Very Weak; might keep out family members
  • 28 – 35 bits = Weak; should keep out most people, often good for desktop login passwords
  • 36 – 59 bits = Reasonable; fairly secure passwords for network and company passwords
  • 60 – 127 bits = Strong; can be good for guarding financial information
  • 128+ bits = Very Strong; often overkill

If we take a fairly common approach to users choosing passwords, like taking a word or a name and adding special characters, sounds great right? Say your name is Andrew, and you choose a password of:

@Ndr3w1

Easy to remember, check,
Special characters, check,
Uppercase, check

Now we run some analysis on this password…

Entropy: 33 bits
Charset Size: 72 characters

How about:

HorseChickenFloat  – more than 13 characters, but easy to remember

Entropy: 76.4 bits
Charset Size: 52 characters

Up the ante a little more, @HorseChickenFloat6

Entropy: 93.2 bits
Charset Size: 72 characters

So the moral of the story is, even concatenating three unrelated words gives a far more secure password, more than double in fact, than a shorter password with special characters and upper/lower case changes. This may sound a bit counter intuitive, but is great information to be passing on to users in your security awareness training program.