Key Takeaways
- Password entropy measures randomness, with higher bits needed for a secure password.
- Dictionary attacks & brute force cracking are common methods. Adding randomness thwarts attackers.
- Entropy depends on password length, characters, and case usage—best aim for 16-character passwords.
We all know the annoyance of creating a new account online: you enter the password you want, and then the service bugs you about minimum length and using special characters. There’s a reason you’re being pushed to do this, though, and in this article I’ll go over why you need a long password.
The short answer is password entropy. That term sounds way more complicated than it really is unless you’re familiar with cryptography, so let’s take a look at what password entropy is.
What’s Password Entropy?
Password entropy is a measure of how unpredictable and random your password is. Password entropy is measured in bits, the basic unit for measuring information in computing. More bits is better, with most experts agreeing that entropy should be at least 64 bits, though that number is controversial. A higher entropy means your password is more random. When it comes to securing things, random is good.
Let’s explain that a bit. When an attacker wants to get into your online account or device, they’ll usually attack the password since it’s often the only thing securing it, unless you have two-factor authentication (2FA) switched on. Since many people don’t bother with 2FA, this turns passwords into what’s called a single point of failure.
The best way to attack a password is through a dictionary attack, which is a program that will try to “guess” a password by going through common words and phrases. It’s almost literally throwing the book at your password, going through the entire dictionary and also common variations. Once the password is guessed, the attacker has access.
Brute Force and Randomness
Dictionary attacks are the definition of brute force, throwing digital muscle at a problem until it’s fixed. They’re effective though, with most attacks cracking a simple password in seconds (cybersecurity firm Hive Systems maintains a few tables with details on this).
As dictionary attacks thrive on predictability (words that already exist), it stands to reason that the only good way to stymie them is to add randomness to passwords. Many people kind of know this, which is why they add a few symbols to their existing passwords to create things like “p@ssword” or “password123.”
However, this doesn’t work as it’s not random. Attackers can easily account for a change like this, and it will take them maybe a nanosecond longer to gain access to an account. For something to be closer to truly random, you have to take humans out of the equation entirely and use a computer to create a random password. The best password managers, programs that create and store passwords for you, have this functionality built in.
How Entropy Affects Password Length
Greater entropy creates better passwords, but what exactly makes for better entropy? There are four factors to take into consideration:
- Length of the password
- Use of special characters
- Use of uppercase characters
- Use of numbers
All of these are important, but length plays a special role, one we need some math to explain.
How to Calculate Password Entropy
As said earlier, entropy can be measured, which means it can also be calculated. The formula for this is:
E = log2(RL)
- E stands for entropy, and is the result once we calculate it. Higher is better.
- L is the length of the password, so how many characters it has.
- R is range, how many characters you have at your disposal, which I’ll explain in a bit.
- log2 is a mathematical formula which can calculate the bits needed—for our purposes we don’t really need to understand it.
Once we break it down, this formula isn’t too scary, but we do need to go over range. When using a regular US keyboard layout, you have 26 letters. If you were to create a password using only lowercase letters, your range is then 26. If we use an entropy calculator assuming a length of eight characters, that gives us an entropy of 37.60 bits, which is terrible.
If we add uppercase letters, we double your range to 52 as uppercase letters count as separate for our purposes. This gives you an entropy score of 45.60 bits. That’s still not great, but we’re getting there.
If we add the digits 0-9 we come to a range of 62, and then once we add the 33 symbol keys, our range is increased to 95. Using just 8 characters, that gives us an entropy score of 52.56 bits, still well below the cutoff of 64 bits. The only other way to further increase your entropy is to make the password longer.
What Should Be Your Minimum Password Length?
The question then remains is how long the password should be. For that, we need to decide how many bits of entropy we want. While 64 is the common answer, with the speed of advancement of cracking technology, something mentioned in the Hive Systems article, we may want to err on the side of caution and aim for 100 bits of entropy.
With that in mind, we can reverse the formula and come up with 16-character length, assuming we’re using all 95 characters. This gives us an entropy of 105.12 bits. 15 characters should also work as that gives us 98.55 bits, but lower than that will bring you into dangerous territory. Of course, if you’re working with fewer than 95 characters, you’ll need to use a longer password anyway.