Password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods. Entropy essentially measures how many guesses an attacker will need to make to guess your password.
As computing power increases, the amount of time required to guess passwords decreases, in many cases significantly especially when looking at multi core/threaded applications, or the use of GPUs. Therefore we must make certain assumptions at the time of a given calculation as to number of guesses per second a computer can make as this will vary over time.
In general, we look at how many guesses it takes by assuming how many options there might be.
The Number of Possibilities
In general, there are two fields that are used to calculate the number of possible guesses. The length of the password (which we will call L) and the number of possible characters (which we will call P – for possible characters).
The number of possible passwords is a simple matter of P raised to the L, or N = PL.
Measuring L is easy. Simply count the number of characters in your password. That number is L. Most systems require passwords to be at least 8 characters long. Some have higher requirements such as 10 or 12. One place I worked, they required people with server access to have at least 15 character passwords.
P is a little more difficult. It is not the number of characters used, but rather the number of potential characters.
If you chose only lower case letters – you would have a-z, or 26 characters. Add capitalization and you get 52 possibilities.
If you add numbers (10 more) and other printable characters (33 characters) you have have up to 95 characters that are ASCII printable and can be used in a password.
Testing Some Theories
Almost every system requires you to have a certain length of password, and have certain characters, such as upper, lower, number, and “special” characters to give you a large pool. But is a larger pool better, or is a longer password. Let’s test it.
Consider a password with 8 characters, and upper and lower case letters only being used.
L = 8
P = 52
// therefore
pow(52, 8) // 53,459,728,531,456 possible combinations
// entropy
log2(5^28) // 45.60 bits of entropy
That’s a lot of possible combinations – however, it would take an estimated 36 days or less to crack a random set of characters of that complexity.
So lets look at how long it would take to crack a password, if we include numbers in that list.
L = 8 // still
P = 62 // a-z,A-z,0-9
//therefore
pow(62,8) // 218,340,105,584,896 possible password combinations
Notice how that is a lot larger number of combinations, however, it should only take about 148 days to crack that password.
So now let’s add a special character
L = 8 // still
P = 95 // a-z,A-z,0-9,<special characters>
//therefore
pow(62,8) // 2,044,140,858,654,976 possible password com
Now we are over 3 years to crack the password. Much better, but still not great.
Now let’s look at adding two extra characters (so there is ten) but only using the alphabet.
L = 10
P = 52 // a-z, A-Z
// therefore
pow(52, 10) // 144,555,105,949,057,020 possible password combinations
Just adding two characters takes us to almost 269 years to crack that password.
Results
Adding to the pool of characters makes a password harder to crack, but it doesn’t do it as well as making the password longer.
Both have a similar problem – that is, it makes the password harder to remember. Smart people look to using pass phrases – collections of random words (CorrectHorseBatteryStaple), or acronyms (My Favorite Show has yet to be Seen in 2022! would yield MFShy2bSn22) to improve the complexity.
Calculating a Password’s Strength was originally found on Access 2 Learn