Bits of Entropy - The Importance of Complex Passwords

by Kristian, on 22/11/2018 11:42:00 AM

Passwords are obviously required to keep your online accounts and data safe, but how strong is your password? The idea of a strong password can be hard to quantify and most places require your passwords to meet some requirements. It's common to see "Your password must contain characters from three of the following categories" to be able to set your password. These requirements are in place to raise the entropy of a password and make it much harder for an attacker to guess your password.

$Math equation background$

Brute force attacks

A common way to break passwords on a user account is to use a "brute force" method. This involves setting up an automated script to literally attempt all possible combinations of characters for that password. An example of this might be to start with "a", then "b", then "c" and continue until "z", at which point the program would try "aa", then "ab" and so on. Eventually, this script would find all passwords that are strictly lower case alphabetical characters. We can now measure the strength of a password as the number of guesses it would take to guarantee we guess the password, assuming we know the character set the password uses. This measurement is known as bits of entropy.

A password that is already known has zero bits of entropy. A password that requires at most 2 guesses to find has 1 bit of entropy. A password with n bits of entropy would require 2^n guesses to guarantee that password will be found. For some context, it's realistic that a normal person with a single graphics card on their computer can guess about 2^49 passwords per day. Someone with a data mining system might be able to get 2^55 passwords or possibly more, depending on their hardware. (Note: these numbers are based on GPU hash breaking and require a data dump of password hashes. Web based brute forcing would be much slower.)

An example

The password "Summer2017" is 10 characters long, and uses upper and lowercase alphanumeric characters. The size of the character set for this password is 26 (upper case) + 26 (lower case) + 10 (numbers) = 62 characters. This means the number of guesses to guarantee we find the password is 62^10. This number is about equal to 2^59.5 and so "Summer2017" has 59.5 bits of entropy. For those interested in maths, finding the bits of entropy is calculated by e = L * log(C)/log(2) where L is the length of the password and C is the size of the character set.

Clearly having a higher number of bits of entropy indicates a stronger password. But why is "Summer2017" a terrible password and "wUm09n#i4", with 59.1 bits of entropy, a good password when they both have roughly the same bits of entropy? Enter the dictionary attack.

Dictionary attacks

A dictionary attack involves creating a list of common passwords and generating permutations on them instead of brute forcing every combination. Lists of millions of leaked passwords can be found online and these are usually the starting point for an attacker attempting to gain access. From the example above, "Summer2017" is an extremely common password, found on almost every list you can find for brute forcing passwords. It doesn't matter how many bits of entropy a password contains if it's on a dictionary of common passwords, as these are usually tried first. The password "wUm09n#i4" will not be on any of these lists and as such, will be guessed later in the order, making it inherently stronger.

Crafting a password

Creating a memorable and secure password for every account is impractical and can be skipped altogether by using a password manager. Lastpass, 1password, Keepass, and Dashlane are some example of password managing software that encrypt and store your passwords for each account. This allows you to use truly random passwords with high bits of entropy, and you only need to remember a master password. For generating a master password, a good starting point is to pick three random words from a dictionary. With a dictionary of 350,000 words, our character set effectively becomes 350,000. I'll take "checkered", "waving", and "spider". These three are easy to remember, and just appending them into "checkeredwavingspider" which already gives 56 bits of entropy (length of 3 in a character set of 350,000). To increase this further, I’ll change the second character of each word, and add a symbol as a separator between words – “cHeckered!wAving;sPider”. This password now has a character set of almost random characters, is 23 characters in length, and won't be found on any attacker's word lists, giving a total of 150 bits of entropy. It's easier to remember than completely random characters and is almost impossible to guess.

Strong passwords are the first level to safeguarding your online presence. However, there is still a chance that your password can be leaked through social engineering, keylogging, or plaintext data dumps among other ways. It's important then to have multiple levels of online authentication. The next step is to set up multifactor authentication, particularly for external and privileged access - https://news.securitycentric.com.au/why-multi-factor-authentication-is-worthwhile