Does "password entropy" only mean that it's long and/or looks random, or is there something else? If the password contains 50 random numbers, will it be high entropy or not?
Asked
Active
Viewed 1,527 times
2 Answers
9
The entropy of a password is defined as the base 2 logarithm of the number of guesses an attacker would have to make in order to be sure of correctly guessing your password.
It's an idea from the science of information theory, and in the information security field it is normally used as a measurement of how resistant a password is to a "brute force attack", which is where an attacker tries every possible password one after another.
If a brute force attack is possible it always works eventually. The catch is in the word "eventually". If an attacker can brute force a password in 20 seconds, then it's not very good. If it takes them two weeks, it's better. If it takes two years, most attackers won't bother.
A password with higher entropy will, on average, take longer to brute force.
You can increase the entropy of a password by either
- increasing the length
- having a wider range of possible characters (e.g. use upper and lower case and punctuation as well as numbers)
- doing both
A 50 digit numeric password has an entropy of about 166. That would be considered very high indeed. I personally use passwords with entropy of around 100, which is pretty high. That is about the same entropy as a 32 digit numeric password.
You can't say how high an entropy is "high enough" without knowing more about the specific system the password is associated with - it depends on how fast the attacker can make guesses.
Let us suppose you use the password to protect a 7zip encrypted file, and your attacker is well resourced and uses a Cray XE6 supercomputer that can do 55 trillion guesses a second. If you're a 12 year old white US male, you have 63 years remaining life expectancy. Some simple math lets us work out that you need an entropy of about 77.5 for a password the Cray will not, on average, break in your lifetime.
If you use a numeric password, then, it will have to be at least 24 digits long (e.g 687374947891238403277394); or if you use mixed case alphanumeric with punctuation, it will have to be at least 12 characters long. (e.g. !cV~#$Liit4F).
It is important to remember, though, that brute force attacks are not the only way to break a password, and that entropy alone does note determine if a password is good or bad.
Graham Hill
- 15,474
- 37
- 63
-
-
We can't tell without knowing what the password is for. Your ATM card has a 4 digit PIN, and that's fine, because an attacker can only make a few guesses, so a very small entropy is high enough. – Graham Hill Jun 07 '12 at 16:09
-
Ah, are you asking "how much longer does a numeric password need to be until it is as strong as an alphabetic password?" – Graham Hill Jun 07 '12 at 16:10
-
i'll use it for truecrypt and 7z files, without any keyfiles. so how much longer does a numeric password need strong as ... – rezx Jun 07 '12 at 16:11
-
2
One possible way to think of entropy is the number of different passwords of the same length as yours. So if your password is "1234", you can calculate the number of "possible" 4-digit passwords that contain only digits:
10^4
We use 10, because there are 10 options for the digits. In general
{Number of options} ^ {Size of the password}
So if the site you are using expects alphanumeric passwords, and you use a 50 digit password, you have:
entropy = 36^50 = 6.53318624 × 10^77
So yeah. It's more than strong enough.
Oleksi
- 4,839
- 2
- 20
- 26
-
strong enough for what? Any strength has to be considered against the use - it might be strong enough in some situations, but not others. – Rory Alsop Jun 08 '12 at 08:44