Summary
We all know the annoyance of creating a new account online: you enter the password you want, and then the service bugs you about minimum length and using special characters. There’s a reason you’re being pushed to do this, though, and in this article I’ll go over why you need a long password.
The short answer is password entropy. That term sounds way more complicated than it really is unless you’re familiar with cryptography, so let’s take a look at what password entropy is.
What’s Password Entropy?
Password entropy is a measure of how unpredictable and random your password is. Password entropy is measured in bits, the basic unit for measuring information in computing. More bits is better, with most experts agreeing that entropy should be at least 64 bits, though that number is controversial. A higher entropy means your password is more random. When it comes to securing things, random is good.
Let’s explain that a bit. When an attacker wants to get into your online account or device, they’ll usually attack the password since it’s often the only thing securing it, unless you havetwo-factor authentication(2FA) switched on. Since many people don’t bother with 2FA, this turns passwords into what’s called a single point of failure.
The best way to attack a password is through adictionary attack, which is a program that will attempt to “guess” a password by going through common words and phrases. It’s almost literally throwing the book at your password, going through the entire dictionary and also common variations. Once the password is guessed, the attacker has access.
Brute Force and Randomness
Dictionary attacks are the definition of brute force, throwing digital muscle at a problem until it’s fixed. They’re effective though, with most attacks cracking a simple password in seconds (cybersecurity firmHive Systemsmaintains a few tables with details on this).
As dictionary attacks thrive on predictability (words that already exist), it stands to reason that the only good way to stymie them is to add randomness to passwords. Many people kind of know this, which is why they add a few symbols to their existing passwords to create things like “p@ssword” or “password123.”
However, this doesn’t work as it’s not random. Attackers can easily account for a change like this, and it will take them maybe a nanosecond longer to gain access to an account. For something to be closer to truly random, you have to take humans out of the equation entirely and use a computer to create a random password. Thebest password managers, programs that create and store passwords for you, have this functionality built in.
How Entropy Affects Password Length
Greater entropy creates better passwords, but what exactly makes for better entropy? There are four factors to take into consideration:
All of these are important, but length plays a special role, one we need some math to explain.
How to Calculate Password Entropy
As said earlier, entropy can be measured, which means it can also be calculated. The formula for this is:
Once we break it down, this formula isn’t too scary, but we do need to go over range. When using a regular US keyboard layout, you have 26 letters. If you were to create a password using only lowercase letters, your range is then 26. If we use anentropy calculatorassuming a length of eight characters, that gives us an entropy of 37.60 bits, which is terrible.
If we add uppercase letters, we double your range to 52 as uppercase letters count as separate for our purposes. This gives you an entropy score of 45.60 bits. That’s still not great, but we’re getting there.
If we add the digits 0-9 we come to a range of 62, and then once we add the 33 symbol keys, our range is increased to 95. Using just 8 characters, that gives us an entropy score of 52.56 bits, still well below the cutoff of 64 bits. The only other way to further increase your entropy is to make the password longer.
What Should Be Your Minimum Password Length?
The question then remains is how long the password should be. For that, we need to decide how many bits of entropy we want. While 64 is the common answer, with the speed of advancement of cracking technology, something mentioned in the Hive Systems article, we may want to err on the side of caution and aim for 100 bits of entropy.
With that in mind, we can reverse the formula and come up with16-character length, assuming we’re using all 95 characters. This gives us an entropy of 105.12 bits. 15 characters should also work as that gives us 98.55 bits, but lower than that will bring you into dangerous territory. Of course, if you’re working with fewer than 95 characters, you’ll need to use a longer password anyway.
