Password Strength – What matters most?

When choosing a password for a site, what’s the most important criteria?

Some sites require a number and a capital letter, while other sites require a special character. Yet other sites dictate a minimum length, while others limit the maximum length. (!)

What matters the most when it comes to password strength is entropy – that is, the randomness of your password and how difficult it is to guess.

Entropy is often measured in terms of bits. Here’s an example:

Let’s say your password is made up of lower case letters, and is 6 characters long. Since there are 26 letters the number of possible combinations is 266 = 308915776, or a little over 300 million.

To find the amount of entropy in bits, we take the base 2 log of that number. In this case the value would be 28.20, which means 228.20 = 308915776. If you’re not familiar with logarithms don’t worry, just know that more entropy means more randomness which is good.

Our 6 character password above might seem like it has a lot of randomness, but a modern computer can make millions of guesses per second. A password like the one above would be cracked in less than a second.

So, if we want to make our password more random, we can do two things: make it longer, or increase the number of possible characters (by including capital letters, numbers, and special characters).

If we use 6 characters, but allow capital letters as well, that increases the amount of entropy to 34.2 bits. The bad news is it would take less than a second to crack.

Most sites require at least 8 characters for a password, but even those can be cracked in a few minutes to a few hours.

To make sure you have enough randomness, sites require you to include numbers and special characters. While that does increase randomness in theory, the reality is that everyone just puts an exclamation point at the end of their password. So instead of “pa#sswor;d” you get “password!” Not exactly hard to guess.

The truth is that when it comes to password randomness, length is far more important than anything else.

The table below shows the bits of entropy (rounded to the nearest whole number) for different password lengths, as a function of whether you use lower case letters only, lower case and upper case, numbers, and special characters. Many sites limit the available special characters you can use, so we took the number of possible choices to be 20.

# of characters Lower case Lower+upper case Lower + upper case plus numbers Lower + upper case plus numbers and special characters
8 38 46 48 49
10 47 57 60 62
12 56 68 72 74
14 66 80 83 86
16 75 91 95 99
18 85 103 107 111
20 94 114 119 123
22 103 125 131 136
24 113 137 143 148

As you can see from the table, entropy increases rapidly with password length. An 8-character password that uses numbers and special characters has only slightly more entropy than a 10-character password with lower case letters only, and far less entropy than a 10-character password with upper and lower case letters only. With 57 bits of entropy, the time to crack such a password jumps up to a month.

Once you get above 60 bits of entropy, the time to crack a password becomes prohibitively long. A 12-character password that uses numbers and special characters would take tens of thousands of years to crack. For a 24-character password, it’s more like the age of the universe… times a million.

So the next time your bank wants you to use 8 characters for your password, and the password strength meter turns green when you add that exclamation point at the end, just remember that length matters!