30

I know that asking how many bits of entropy comprise a strong password is rather like asking the length of a piece of string. But assuming the NSA is not on to you, and that it is hardly worthwhile anyone spending a decade brute forcing your email, then will 80 bits suffice?

Peter
  • 987
  • 2
  • 9
  • 12
  • 1
    Possible Dupe/Strong Alikeness/Already Awnsered of: https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase – Lighty Oct 10 '14 at 12:17
  • 5
    @Lighty That's about passphrases vs. passwords and whether XKCD got it right. This question is about the practical strength of an 80-bit password. – Luc Oct 10 '14 at 12:41
  • 1
    At 6 bits per character that's >13 characters. This is a very safe length under pretty much any password storage scheme. – usr Oct 11 '14 at 11:51
  • 1
    Yes! But you must change after 2 weeks and aren't allowed to write down! :-) – peterh Oct 11 '14 at 18:16
  • With KeePassX I store all my passwords in a database and I can generate an 80000 bit key 10000 Char Long –  Feb 22 '16 at 09:37
  • 1
    @user102127 a shared-secret >256 bits is of dubious use. Inflate it to many-thousand bits and you're guaranteed to find a collision with whatever the hash is. – Nick T Jun 05 '17 at 17:04

6 Answers6

42

Short answer: The more the better, but for now (2014) this is probably enough.

There is an important distinction between hacking into your Gmail and cracking an offline password. If you want to hack a Gmail account by guessing the password, you can only do a few tries per second at most. Google will block thousands of login attempts to a single account in too short a timeframe.

However if we are talking about, say, a Windows login, then it is stored locally. Windows has a database with the hashed password somewhere on the hard drive (in layman's terms: the encrypted password). This means that someone with access to the hard drive can extract the hashed password and start cracking however fast their computer can, which may be many millions of attempts per second.

Or when a database is hacked (see: LinkedIn), hashed password are often obtained and people can start cracking locally just like with a Windows login. This is where password strength really becomes important.

Edit: Like emory and JS. commented, you should assume all services get hacked at some point, so while right now you may not be able to brute force your Gmail password very fast, it could change any day. And not every company admits (or knows) that they got hacked. I still think it's okay to use reasonable passwords (if hackers can't crack it in 5 minutes they are just going to move on to one of the other 90 million passwords they obtained), but it's a valid point that no service is perfectly secure.


About password strength

(Jargon: you can think of "entropy" as being "true random data".)

So is 80 bits enough? Consider the following 80-bits password: 1111111111. Doesn't look very strong... How about this one, which is 160 bits: "horse battery staple" (20 bytes times 8). Better, but it's actually 3 words instead of 160 bits. If there are 10'000 possibilities in the English language then you can make 1 trillion combinations with 3 words, which is a lot, but nowhere near the 1 quindecillion possibilities you would have with 160 bits of entropy. Finally, how about 0MxLrTm8Z1? That is generated by a secure random number generator. It's 10 characters and takes 80 bits in storage. But how much entropy does it really contain? It's only alphanumeric (a-z A-Z 0-9), or 62 possibilities, making only 8.39*10^17 possibilities, or 59.5 bits of entropy.

So having a 10-character password does not mean you have 80 bits of entropy to crack through before finding the original. To store 80 bits in printable characters (the ones that you can type on a keyboard), which includes special characters like *&$@, you would need a password of 13 characters long.

Forward thinking

Another issue is that computers get ever faster. 80 bits is secure for now, but if you encrypt a file in 2014 with a now-safe password, maybe it could be cracked in 2017 when 36 months* have passed and computers became roughly 4 times faster.

While in 1993 a 6-character password (taken straight from a dictionary) might be reasonable security, in 2014 we debate whether 10 random characters is enough.

* Attentive readers will notice that's twice Moore's law (even more attentive readers will note that Moore's law was about transistors on a chip, not a computer's speed).

Password usage

And finally we have practical matters to think of: how do you manage your passwords? If I tell you that 80 bits is probably enough (which I just did), are you going to memorize a random 13-character password with lots of strange characters, and then use it for every account you have?

Whether a password manager is a good idea is another topic, but using different passwords is better than remembering a strong master password. It would be best to use a strong and unique password everywhere, but that's just not doable without writing it down or using a password manager, which introduces other risks. I'll leave such considerations to a dedicated question.

Luc
  • 32,378
  • 8
  • 75
  • 137
  • 4
    I use dice. In one throw a single dice provides circa. 2.58 bits of entropy; and if a minimum of 80 bits is needed in a password to prevent a brute force attack, then that amount is achieved with 31 dice throws. (31 x 2.58 = 79.98). If one writes them down in groups of four on a piece of paper they are easy and quick to type into the keyboard. – Peter Oct 10 '14 at 13:02
  • @Peter Dice, good one! I knew about [diceware](https://en.wikipedia.org/wiki/Diceware), but you're the first person I hear who actually uses it :) – Luc Oct 10 '14 at 13:03
  • Two points: first, Moor's law is dead. Over the last 36 months computers have not gotten 4 times faster, in fact, they have not even doubled in speed. Second, if having a computer 4 times faster in the future would let you crack the password in a reasonable time, then it isn't secure today since you could just wait 4 times longer, or use 4 computers. – psusi Oct 10 '14 at 20:11
  • 3
    I did not understand the last paragraph. Could you please add your medium, strong, and superstrong password, so that we can compare them visually with "qwerty123"? ;) – Hagen von Eitzen Oct 10 '14 at 22:21
  • 1
    I don't think there should be such a distinction between gmail and an offline password. You should assume that at some point, hackers will get google's password files and they will become offline. It has happened with linkedin and you should assume that it will happen with every online service. The solution is to regularly change your password and pick passwords with sufficient entropy such that by the time the offline hackers get your password, you have already changed it. – emory Oct 10 '14 at 23:14
  • 1
    @emory: A bit pedantic, but "with sufficient entropy such that by the time the offline hackers get your password, you have already changed it." should actually read, "by the time *you find out* offline hackers got your password." Not all entities detect/publicly admit these breaks quickly. Also, you often have to keep an eye out for such announcements. – JS. Oct 10 '14 at 23:24
  • @JS the truly paranoid just assume these things and thus regularly changes passwords. Don't depend on anyone to admit a break. How long do you think the NSA needs to break x bits of entropy? 2 years, then change it every year. – emory Oct 10 '14 at 23:32
  • 1
    @psusi The first point is probably valid, but I have yet to hear that Moore's law is completely dead. Citation needed, I suppose. About your second argument: when writing the post I doubted to include the phrase "for the same amount of money" but decided to leave it out because it seemed obvious to me. The point is that not everyone has the money to buy four times as much calculation power as they already have. Else why bother inventing faster CPUs when could buy *more* CPUs instead? – Luc Oct 10 '14 at 23:41
  • @Luc I agree. The paranoid will assume that all of humanity combined all their calculation power against them. If you have enough entropy for such an awesome adversary you don't need to worry about the Russian mob doubling its botnet network. – emory Oct 10 '14 at 23:58
  • 1
    @emory Responding to your first comment: good point. We shouldn't blindly trust a service to be perfectly secure. I still think it's okay to slack a little bit and use a weaker password on big services (as long as it's not crackable within 5 minutes with some serious power, probably nobody is going to bother when they got 90 million other passwords to try), but I think your main point is valid. – Luc Oct 11 '14 at 00:04
  • Awesome answer to a lackluster question. +1 – asteri Oct 11 '14 at 00:17
  • Use the domain name as salt and key stretch your main password to get unique and looking-random password for each of accounts. – Siyuan Ren Oct 11 '14 at 01:12
  • Okay. So I will just use that '0MxLrTm8Z1' as my password from now on, since it is apparently good enough. – Rafał Cieślak Oct 11 '14 at 22:46
  • 1
    The question is not whether or not anyone and everyone can afford 4 computers... the question is whether it is quite reasonable that an attacker _could_ use 4 computers ( borrow some ) or just wait 4 times longer ( which is not that long ). This is quite reasonable, and therefore, such a password is insecure. You need that barrier to be more like 100x or 1000x or higher rather than only 4x. – psusi Oct 13 '14 at 14:50
9

It has been stated (for a reasonably authoritative source, see Passphrases That You Can Memorize — But That Even the NSA Can’t Guess on The Intercept) that the NSA is capable of (at least) "one trillion guesses per second" in the context of PGP passphrases. PGP passphrases are deliberately expensive to check, and they may have upgraded their capabilities since, but we can still use this as some sort of baseline, because it's unlikely the be more than a few orders of magnitude off with any reasonably designed system.

One trillion guesses per second corresponds to 240 guesses per second.

A password with a true 80 bits of entropy would thus be secure for up to 2(80-40) = 240 seconds.

240 seconds is about 35,000 years.

On average, we'd expect an adversary to guess the password correctly in half that time. That's still well over 15,000 years of trying.

Even figuring in advancements in computer technology, and assuming that you only need your password to be secure for several thousand years, we can thus reasonably state that an 80 bits entropy password should be sufficient against even a focused offline attack by a highly capable adversary for hundreds to thousands of years.

Chances are pretty good that they'll tire of waiting well before that long, and try some other, far more likely to be successful, method instead.

Do also keep in mind the difference between true entropy and the amount of storage needed to save the password bytes. For example, my password manager (KeePassX on Linux) insists that the password's number of "bits" is equal to the number of characters in the password times eight. This leads to such absurdities as a four-digit PIN for a bank card being claimed to have 32 bits of strength (4.3 billion possible values) instead of the much more accurate value 13-14 bits of strength (because 13 bits allows encoding 8192 possible values, and you need about 13.3 bits to encode 10000 values).

One way to get to 80 bits of true entropy is to generate a 6 or 7 (at 12.9 bits each, that's 77 and 90 bits respectively) word passphrase using the Diceware method. By using one of the EFF wordlists (the one which is unique in the first three characters of each word), this can be represented in 18 or 21 characters; this compares quite favorably to a truly random, single-case alphanumeric password (lowercase a-z, digits 0-9), which would need 17 characters to encode 80 bits of entropy (because log2 2617 ≈ 80, or 2617 ≈ 280), and may be easier to remember as it would be possible to memorize the words and type just the first three letters of each.

user
  • 7,700
  • 2
  • 30
  • 54
  • KeepassXC reports the entropy of passwords based on the actual pool of characters the user sets. So it will report a 12-character password made of mixed-cased alphabetic characters as having 62 bits of entropy whereas it will report a 12-bit password with only lowercase characters as having only 55 bits. So it must have gotten better after this post was written. – Lawrence I. Siden Jan 03 '20 at 16:17
  • Regarding the word list with unique 3-letter prefixes, that requires some kind of autocomplete software to work. To quote EFF: "Our typo-tolerant list is _much less efficient_ at only 1.4 bits of entropy per character. However, using a future autocomplete software feature, only three characters would need to be typed per word, in which case this would be the most efficient list to use at 3.1 bits of entropy per character typed." – Christian Davén Sep 22 '21 at 06:38
9

The weak point in any security strategy is always human predictability. Any clever password that you can think of, and remember, will be remarkably similar to a lot of other clever passwords people use. We just aren't as unique as we believe ourselves to be. People essentially think and memorise things in well understood and predictable ways.

Some basic principles I use in regard to passwords.

  1. Use a password manager. Our brains simply are not equipped to store multiple secure passwords. If you can memorise your passwords, then they are too simple.
  2. Never use the same password for more than one service. This is extraordinarily important, but almost always ignored. This principal is easy with a password manager, and virtually impossible without.
  3. Your identity is only as secure as your weakest password. However unimportant or mundane you may believe your email, or social media account to be, it still needs to be secure, as it can often be used to gain access to your more confidential services.
  4. If you can avoid it, don't use password hints. If a service mandates it, use something random and not personally identifiable. Having said that, only do this if you have a robust password management strategy in place. You should never have to use password recovery, because you should never lose your passwords.
  5. Use the maximum possible password length. Again, this necessitates the use of a password manager. Most services now support at least 16 characters. Use them all.
  6. Lock and encrypt all of your mobile devices. Your personal information (no matter how mundane) is valuable to cyber criminals.
user1751825
  • 915
  • 4
  • 10
5

Yes, in particular in the light of "practical purposes" for the non-NSA type of attacker.

For online passwords, the rate at which attacks on the password can be done is limited. Also, there usually exist security exploits (customer service being the single biggest security exploit by design) which are often much more vulnerable than your password. Why waste hundred thousands of dollars cracking your 80-bit password if you can get CS to grant you access with a few minutes of social engineering.
Yes, someone stealing the password database on a server might reverse your password with brute-force, but that's unlikely to happen with 80 bits, they'll rather do the 10 million other users who have 20-bit passwords, and stop there. Also, you have nothing to lose since it's a random password which isn't used elsewhere. It is worthless.
The intruders already have root access to the server at that point, so whatever they can do on the compromised system, they'll do it anyway. Beyond that, there's nothing they can do with your password.

For the Windows password, 80 bits are also by far good enough. Sure, someone could run a brute-force attack, but as lame as NTLM is, even the famous 25-GPU 348-billion-NTLM-per-second machine would take 110.000 years for an exhaustive search.
On the other hand, you can just plug the harddisk into another computer and read the filesystem anyway, without knowing the password. It takes like 5 seconds, and you don't even need to open your case if you have a SATA-USB adapter. What will an attacker likely do?

For full-disk encryption, on the other hand, the key (or password) isn't normally stored, but a complicated key derivation scheme is used to derive the decryption key for the decryption key table. This limits the rate at which an attack can happen. Truecrypt used to use 2,000 iterations once upon a time, Veracrypt presently uses 320,000 or so iterations. It is a reasonable assumption that all full-disk encryption systems use a number of iterations (though some will use more, some fewer - I'd assume Bitlocker is rather at the lower end).
The fact that you need to read and decrypt at least 2 sectors (after doing a few thousand iterations) in order to verify whether a password matches further delays massively parallel attacks. A random 80-bit password is thus a quite non-neglegible hurdle for the average non-NSA attacker.

Would a 256-bit password give you more security? Sure, but you also have to hit three times as many keys every time. Which is where the "practical" part comes into the equation from the other angle. It doesn't just matter whether it's practical for someone to attack you, but also whether the system remains practical for you to use every day.

Damon
  • 5,211
  • 1
  • 20
  • 26
  • Why assume the intruders have root access to the server? I don't think it is necessary in most systems. – emory Oct 10 '14 at 23:25
4

I think so, but its important to understand true entropy when it comes to how computers brute force.

A word in the dictionary in any language can be thought of as a character, similar to a chinese character. And there are common words and uncommon words. Uncommon words can be thought of as having a very large alphabet, common words having a much smaller alphabet, but still much larger than the english set.

All of that being said, password entropy calculators don't take this into the equation, they treat a string-digit password as if it were a random password, which isn't the case.

A string-digit password: "el1zabeth267" A computer will guess this as basically two characters, not twelve.

Andrew Hoffman
  • 1,997
  • 15
  • 17
-1

EFF publishes a table of 7776 (6^6) words with the special property that no word is a prefix of another. Download it, then get a single die (dice) that you trust is not biased and roll it six times. Write down the numbers from each roll in the order they appear (e.g. "123456"), and use that as a key to look up a word and write it down.

Do that again 6 times. That's your new passphrase that you can use to protect your master password database or your email account.

Remembering six random words shouldn't be much harder than memorizing a one or two verses from a song. You could even put the words to music if it helps!

Each word comes with about 12.9 bits of entropy (log2(7776)). Six words gives you just a bit under the 80 bits of entropy discussed here. Seven words puts you over 90 bits.

Write down the words, carry them with you in your wallet (so you'll know immediately if it goes missing) and begin using them to log into your master password database or email account. In a few days, you should no longer need to keep them written down and you can shred the piece of paper (or lock it up somewhere secure if your afraid you might forget later).

OR, you can download and install Diceware do the grunt work for you and generate (pseudo-)random pass-phrases instantly. It's a lot easier than rolling dice and looking up words in a long table. The sequences won't be truly random, like actual dice, but unless your attacker has access to your computer and knows exactly what the time was on your clock when you generated them, they should be just as good.

  • 4
    Does not answer the question about 80 bits being *enough*. You answered how to efficiently generate and remember 80 bits' worth of entropy. – schroeder Dec 29 '17 at 00:30