Measuring the strength of a randomly selected password
Introduction
How many attempts would it take an attacker to guess a randomly selected password? How do we calculate and specify the strength of such a password? In order to answer these questions we will start by considering something called entropy.
Entropy
In IT security, password entropy is the amount of randomness in a password or how difficult it is to guess. The entropy of a password is typically stated in terms of bits. For example, a known password has zero bits of entropy, while a password with 1 bit of entropy would be guessed on the first attempt 50% of the time. Stated more generally, a password with x bits of entropy can be found in 2x attempts.
Calculating the entropy of a password
The entropy of a randomly selected password is based on its length and the entropy of each character. The entropy of each character is given by log-base-2 the size of the pool of characters the password is selected from - see the formula below:
entropy per character = log2(n) password entropy = l * entropy per character Where n is the pool size of characters and l is the length of the password.
Thus the entropy of a character selected at random from, say, the letters (a-z) would be log2 26 or 4.7 bits. The table below gives the entropy per character for a number of different sized character pools.
| Character Pool | Available Characters (n) | Entropy Per Character |
| digits | 10 (0-9) | 3.32 bits |
| case insensitive letters | 26 (a-z) | 4.7 bits |
| case sensitive letters and digits | 62 (A-Z, a-z,0-9) | 5.95 bits |
| all standard keyboard characters | 94 | 6.55 bits |
So, from the table above, we can see that a 20 character password chosen at random from the keyboard's set of 94 printable characters would have more than 128 bits (6.55 * 20) of entropy. A password with this much entropy is infeasible to break by brute force (exhaustively working through all possible character combinations).
We can see how both the pool size of available characters and the password length affect the strength of the password; and that long random passwords are extremely strong. While these types of passwords may be used by, say, one computer to authenticate to another computer, they are not much use to humans. Humans are notoriously bad at remembering passwords. A difficult to remember password will have adverse effect on security because the user will need to write it down somewhere - typically on a Post-it Note near to their computer.
User selected passwords
For many situations, the practical approach is to ask the user to select a memorable password that meets a number of criteria designed to increase the entropy of the password. We will look at guidelines for improving the strength of user selected passwords in a future article.
More Articles