Password strength
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the factors. The first factor is the main focus in this article.
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secured with relatively simple passwords. However, the system must store information about the user's passwords in some form and if that information is stolen, say by breaching system security, the user's passwords can be at risk.
In 2019, the United Kingdom's NCSC analysed public databases of breached accounts to see which words, phrases and strings people used. Top of the list was 123456, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while the top five included "qwerty", "password" and 1111111.
Password creation
Passwords are created either automatically or by a human; the latter case is more common. While the strength of randomly chosen passwords against a brute-force attack can be calculated with precision, determining the strength of human-generated passwords is challenging.Typically, humans are asked to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or Internet Web site. Only rough estimates of strength are possible, since humans tend to follow patterns in such tasks, and those patterns can usually assist an attacker. In addition, lists of commonly chosen passwords are widely available for use by password guessing programs. Such lists include the numerous online dictionaries for various human languages, breached databases of plaintext and hashed passwords from various online business and social accounts, along with other common passwords. All items in such lists are considered weak, as are passwords that are simple modifications of them. For some decades, investigations of passwords on multi-user computer systems have shown that 40% or more are readily guessed using only computer programs, and more can be found when information about a particular user is taken into account during the attack.
Password guess validation
Systems that use passwords for authentication must have some way to check any password entered to gain access. If the valid passwords are simply stored in a system file or database, an attacker who gains sufficient access to the system will obtain all user passwords, giving the attacker access to all accounts on the attacked system, and possibly other systems where users employ the same or similar passwords. One way to reduce this risk is to store only a cryptographic hash of each password instead of the password itself. Standard cryptographic hashes, such as the Secure Hash Algorithm series, are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password. However, knowledge of the hash value lets the attacker quickly test guesses offline. Password cracking programs are widely available that will test a large number of trial passwords against a purloined cryptographic hash.Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. For example, in 2010, the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords much faster. Elcomsoft invented the usage of common graphic cards for quicker password recovery in August 2007 and soon filed a corresponding patent in the US. By 2011, commercial products were available that claimed the ability to test up to 112,000 passwords per second on a standard desktop computer, using a high-end graphics processor for that time. Such a device will crack a 6 letter single-case password in one day. Note that the work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable GPUs. Special key stretching hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not.
Another situation where quick guessing is possible is when the password is used to form a cryptographic key. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. For example, one commercial product claims to test 103,000 WPA PSK passwords per second.
If a password system only stores the hash of the password, an attacker can pre-compute hash values for common passwords variants and for all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can be efficiently stored using rainbow tables. This method of attack can be foiled by storing a random value, called a cryptographic salt, along with the hash. The salt is combined with the password when computing the hash, so an attacker precomputing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Unfortunately, many authentication systems in common use do not employ salts and rainbow tables are available on the Internet for several such systems.
Entropy as a measure of password strength
It is usual in the computer industry to specify password strength in terms of information entropy which is measured in bits and is a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is commonly referred to as the number of "entropy bits" in a password, though this is not exactly the same quantity as information entropy. A password with an entropy of 42 bits calculated in this way would be as strong as a string of 42 bits chosen randomly, for example by a fair coin toss. Put another way, a password with an entropy of 42 bits would require 242 attempts to exhaust all possibilities during a brute force search. Thus, by increasing the entropy of the password by one bit the number of guesses required doubles, making an attacker's task twice as difficult. On average, an attacker will have to try half the possible number of passwords before finding the correct one.Random passwords
Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set, syllables designed to form pronounceable passwords, or even words from a word list.The strength of random passwords depends on the actual entropy of the underlying number generator; however, these are often not truly random, but pseudorandom. Many publicly available password generators use random number generators found in programming libraries that offer limited entropy. However most modern operating systems offer cryptographically strong random number generators that are suitable for password generation. It is also possible to use ordinary dice to generate random passwords. See stronger methods. Random password programs often have the ability to ensure that the resulting password complies with a local password policy; for instance, by always producing a mix of letters, numbers and special characters.
For passwords generated by a process that randomly selects a string of symbols of length, L, from a set of N possible symbols, the number of possible passwords can be found by raising the number of symbols to the power L, i.e. NL. Increasing either L or N will strengthen the generated password. The strength of a random password as measured by the information entropy is just the base-2 logarithm or log2 of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy, H, is given by the formula:
where N is the number of possible symbols and L is the number of symbols in the password. H is measured in bits. In the last expression, log can be to any base.
A binary byte is usually expressed using two hexadecimal characters.
To find the length, L, needed to achieve a desired strength H, with a password drawn randomly from a set of N symbols, one computes:
rounded up to the next largest whole number.
The following table uses this formula to show the required lengths of truly randomly generated passwords to achieve desired password entropies for common symbol sets:
Human-generated passwords
People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits. Some stage magicians exploit this inability for amusement, in a minor way, by divining supposed random choices made by audience members.Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. A uniform distribution would have had each character being used about 900,000 times. The most common number used is "1", whereas the most common letters are a, e, o, and r.
Users rarely make full use of larger character sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.
The full strength associated with using the entire ASCII character set is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps upper and lower case letters, numbers, and non-alphanumeric characters. In fact, such a requirement is a pattern in password choice and can be expected to reduce an attacker's "work factor". This is a reduction in password "strength". A better requirement would be to require a password NOT to contain any word in an online dictionary, or list of names, or any license plate pattern from any state or country. If patterned choices are required, humans are likely to use them in predictable ways, such as capitalizing a letter, adding one or two numbers, and a special character. This predictability means that the increase in password strength is minor when compared to random passwords.
NIST Special Publication 800-63-2
Special Publication 800-63 of June 2004 suggested a scheme to approximate the entropy of human-generated passwords:Using this scheme, an eight-character human-selected password without upper case characters and non-alphabetic characters OR with either but of the two character sets is estimated to have 18 bits of entropy. The NIST publication concedes that at the time of development, little information was available on the real world selection of passwords. Later research into human-selected password entropy using newly available real world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords. The June 2017 revision of SP 800-63 drops this approach.
Usability and implementation considerations
Because national keyboard implementations vary, not all 94 ASCII printable characters can be used everywhere. This can present a problem to an international traveler who wished to log into remote system using a keyboard on a local computer. See keyboard layout. Many hand held devices, such as tablet computers and smart phones, require complex shift sequences or keyboard app swapping to enter special characters.Authentication programs vary in which characters they allow in passwords. Some do not recognize case differences, others prohibit some of the other symbols. In the past few decades, systems have permitted more characters in passwords, but limitations still exist. Systems also vary in the maximum length of passwords allowed.
As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk. In contrast, others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to Bruce Schneier, most people are good at securing their wallets or purses, which is a "great place" to store a written password.
Required bits of entropy
The minimum number of bits of entropy needed for a password depends on the threat model for the given application. If key stretching is not used, passwords with more entropy are needed. RFC 4086, "Randomness Requirements for Security", presents some example threat models and how to calculate the entropy desired for each one. Their answers vary between 29 bits of entropy needed if only online attacks are expected, and up to 96 bits of entropy needed for important cryptographic keys used in applications like encryption where the password or key needs to be secure for a long period of time and stretching isn't applicable. A 2010 Georgia Tech Research Institute study based on unstretched keys recommended a 12-character random password, but as a minimum length requirement.. Keep in mind that computing power continues to grow, so to prevent offline attacks the required bits of entropy should also increase over time.The upper end is related to the stringent requirements of choosing keys used in encryption. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware. In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not quantum computers will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.
Guidelines for strong passwords
Common guidelines
Guidelines for choosing good passwords are typically designed to make passwords harder to discover by intelligent guessing. Common guidelines advocated by proponents of software system security include:- Use a minimum password length of 10 or more characters if permitted.
- Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
- Generate passwords randomly where feasible.
- Avoid using the same password twice.
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences.
- Avoid using information that is or might become publicly associated with the user or the account, such as username, ancestors' names or dates.
- Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relative or pet names, romantic links and biographical information..
- Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.
The possible character set for a password can be constrained by different web sites or by the range of keyboards on which the password must be entered.
Examples of weak passwords
As with any security measure, passwords vary in effectiveness ; some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation may cost a password cracking device a few more seconds; this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds.:- Default passwords : password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.
- Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., including words in non-English dictionaries.
- Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
- Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be tested automatically with little additional effort. For example, a domain administrator password compromised in the DigiNotar attack was reportedly Pr0d@dm1n.
- Doubled words: crabcrab, stopstop, treetree, passpass, etc.
- Common sequences from a keyboard row: qwerty, 123456, asdfgh, fred, etc.
- Numeric sequences based on well known numbers such as 911 , 314159... , 27182... , 112 , etc.
- Identifiers: jsmith123, 1/1/1970, 555–1234, one's username, etc.
- Weak passwords in non-English languages, such as contraseña and ji32k7au4a83
- Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of a person's details.
- Dates: dates follow a pattern and make your password weak.
Rethinking password change guidelines
In December, 2012, William Cheswick wrote an article published in ACM magazine that included the mathematical possibilities of how easy or difficult it would be to break passwords that are constructed using the commonly recommended, and sometimes followed, standards of today. In his article, William showed that a standard eight character alpha-numeric password could withstand a brute force attack of ten million attempts per second, and remain unbroken for 252 days. Ten million attempts each second is the acceptable rate of attempts using a multi-core system that most users would have access to. A much greater degree of attempts, at the rate of 7 billion per second, could also be achieved when using modern GPUs. At this rate, the same 8 character full alpha-numeric password could be broken in approximately 0.36 days. Increasing the password complexity to a 13 character full alpha-numeric password increases the time needed to crack it to more than 900,000 years at 7 billion attempts per second. This is, of course, assuming the password does not use a common word that a dictionary attack could break much sooner. Using a password of this strength reduces the obligation to change it as often as many organizations require, including the U.S. Government, as it could not be reasonably broken in such a short period of time.Password policy
A password policy is a guide to choosing satisfactory passwords. It is intended to:- assist users in choosing strong passwords
- ensure the passwords are suited to the target population
- provide recommendations for users with regard to the handling of their passwords
- impose a requirement to change any password which has been lost or compromised, and perhaps that no password be used longer than a limited time
- prescribe the pattern of characters which passwords must contain
- use a password blacklist to block the usage of weak or easily guessed passwords.
- If the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.
- If a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker.
- Asking users to change passwords frequently encourages simple, weak passwords.
- If one has a truly strong password, there is little point in changing it. Changing passwords which are already strong introduces risk that the new password may be less strong.
- A compromised password is likely to be used immediately by an attacker to install a backdoor, often via privilege escalation. Once this is accomplished, password changes won't prevent future attacker access.
- Moving from never changing one's password to changing the password on every authenticate attempt only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack. One gains much more security by just increasing the password length by one character than changing the password on every use.
Creating and handling passwords
The following measures may increase acceptance of strong password requirements, if carefully used:
- a training program. Also, updated training for those who fail to follow the password policy.
- rewarding strong password users by reducing the rate, or eliminating altogether, the need for password changes. The strength of user-chosen passwords can be estimated by automatic programs which inspect and evaluate proposed passwords, when setting or changing a password.
- displaying to each user the last login date and time in the hope that the user may notice unauthorized access, suggesting a compromised password.
- allowing users to reset their passwords via an automatic system, which reduces help desk call volume. However, some systems are themselves insecure; for instance, easily guessed or researched answers to password reset questions bypass the advantages of a strong password system.
- using randomly generated passwords that do not allow users to choose their own passwords, or at least offering randomly generated passwords as an option.
Memory techniques
- mnemonic passwords: Some users develop mnemonic phrases and use them to generate more or less random passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Research estimates the password strength of such passwords to be about 3.7 bits per character, compared to the 6.6 bits for random passwords from ASCII printable characters. Silly ones are possibly more memorable. Another way to make random-appearing passwords more memorable is to use random words or syllables instead of randomly chosen letters.
- after-the-fact mnemonics: After the password has been established, invent a mnemonic that fits. It does not have to be reasonable or sensible, only memorable. This allows passwords to be random.
- visual representations of passwords: a password is memorized based on a sequence of keys pressed, not the values of the keys themselves, e.g. a sequence !qAsdE#2 represents a rhomboid on a US keyboard. The method to produce such passwords is called PsychoPass; moreover, such spatially patterned passwords can be improved.
- password patterns: Any pattern in a password makes guessing easier and reduces an attacker's work factor.
- * For example, passwords of the following case-insensitive form: consonant, vowel, consonant, consonant, vowel, consonant, number, number are called Environ passwords. The pattern of alternating vowel and consonant characters was intended to make passwords more likely to be pronounceable and thus more memorable. Unfortunately, such patterns severely reduce the password's information entropy, making brute force password attacks considerably more efficient. In the UK in October 2005, employees of the British government were advised to use passwords in this form.
Protecting passwords
A Microsoft expert was quoted as saying at a 2005 security conference: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."
Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Passwords can be encrypted by hand on paper and remember the encryption method and key.
A single "master" password can be used with software to generate a new password for each application, based on the master password and the application's name. This approach is used by Stanford's PwdHash, Princeton's Password Multiplier, and other stateless password managers. In this approach, protecting the master password is essential, as all passwords are compromised if the master password is revealed, and lost if the master password is forgotten or misplaced.