Protect Your Online Identity with Great Passwords

More on Password Strength (for the Curious)

Here are a few notes about password strength (entropy) for anyone who wants to understand it more deeply. If the video gave enough explanation for you, you can skip this lecture.

Password strength is measured in bits of entropy.

1 bit: One bit represents the randomness of one coin flip. If you flip a coin once, there are two possible outcomes: heads, or tails.

2 bits: If you flip a coin twice, there are 4 possible outcomes: heads + heads, heads + tails, tails + heads, tails + tails.

10 bits: If you flip a coin 10 times in a row, there are 1,024 possible outcomes. So 10 bits represents about 1,000 possibilities. Anything that can be definitely guessed in less than 1,000 tries has 10 bits of strength or less. The first thing an attacker will use to guess passwords are lists of common passwords. If a password is on a list of the top 1,000 most popular passwords, then it has no more than 10 bits of entropy—an attacker will find it within 1,000 guesses. Some examples of 10 bit passwords are rainbow, yankees, michelle, iloveyou, letmein, batman, 123qwe, 987654321.

20 bits: About 1,000,000 possibilities. If a password is on a list of the top million passwords, it is less than 20 bits in strength. Some examples: vjht123jltccf, WsotcoM&53rd, mclarge1947, q1y6w2t5e3r4, psych196.

30 bits: About 1,000,000,000 possibilities. A password on the last half of a top 1-billion common passwords list would be about 30 bits. Many password crackers will also take lists of known passwords and change them in predictable ways (changing some letters to upper case, adding numbers and symbols, using the password backwards, etc.) or combine them together to create new guesses. People are predictable, so this helps them discover new passwords that aren’t already on their lists.

40 bits: About 1,000,000,000,000 possibilities. These passwords are not on any lists of known passwords. However, they are found with techniques like a brute force attack (trying every single combination of letters and numbers until the attacker finds the right combination). Some password crackers are also building huge lists of phrases from lyrics, literature, and encyclopedias (see How the Bible and YouTube are fueling the next frontier of password cracking). These huge databases of trillions of phrases can be used to crack just about any phrase that has ever been written down somewhere on the internet.

If you are still curious about password strength, you can read on for more technical details.

You can do your own research on password strength using password lists that have been published by security researchers:

• Top 1000 Passwords
• Top 1 Million Passwords
• Top 2 Billion Passwords

The strength of random passwords can be calculated with a mathematical formula:

E = log2(R^L)

E: entropy in bits

R: range – how many characters are in the character set?

L: length

For example, if mdjuweba is a randomly generated password, it has a range of 26, since characters were randomly selected from 26 lowercase letters and a length of 8. So there are 26^8 = 208,827,064,576 possible combination of 8 lowercase letters. Then convert this number to base 2 with log2(208,827,064,576) = 37.6 bits.

The strength of a non-random password cannot be calculated accurately with a formula. If you have questions beyond this, you can ask them in the Q&A section.