Password “strength” comes down to something called **”entropy”**. In this context, entropy means how *un*predictable something is — and it is the basis for strength because a password that is predictable is a password that is easy to guess. The more entropy a password has, the harder it is for an attacker to guess randomly. Entropy is measured in bits. Each bit of entropy roughly doubles the amount of work that the attacker has to do to guess a random password. I won’t go into detail about the math, but in general you get entropy by making random selections. There are two things that are important:
1. The amount of entropy you get from a single random selection depends on how many possible outcomes there are. If you randomly flip a coin there are two possible outcomes (heads or tails), and this is worth one bit of entropy. Choosing one word at random from a dictionary of 8200 words is worth about 13 bits of entropy.
2. Making making multiple random selections adds the entropy of each selection. If you randomly flip a coin twice, it is worth 2 bits of entropy. Chasing two words at random from a dictionary of 8200 words is worth 26 bits of entropy.
To bring this back to your question, randomly creating a password involves making a random selection for each character of the password. Each character of the password is a choice, and the character set determines the number of possible outcomes. So the bigger the character set, the more entropy each choice contributes.
To make a simple example, let’s say we’re talking about a 4-character password, like a bank card PIN. Let’s also say that you can type a password and see the result in 2 seconds, and there’s no limit to the number of times you can try, and that you and your team can work round-the-clock, 24/7. SO:
* If the password is only made up of numbers, there are 10,000 possible passwords, and it would take you on average about 3 hours to guess the password.
* If the password is made up of uppercase and lowercase letters, there are 7.3 *million* possible passwords and it would take you just under 3 *months* to guess it.
* If you add if you add numbers to the letters, there are now over 14.7 *million* possible passwords, and it would take you an average of about 6 *months* (171 days) to guess it.
* If you make the password out of all 92 keyboard characters, there are 71.6 million possible passwords, and it would take you over 2 *years* to guess it.
So just adding digits doesn’t fundamentally change the brute-force attack procedure (which is to try all possibilities until you find the correct password), but adding digits to the character set has almost *doubled* the work that you as the attacker have to do to break the password compared to a password that was only uppercase or lowercase letters.
Of course, an attacker using a computer or computer network can guess millions or billions of passwords per second. This is why passwords need to be long (so that they have multiple random choices) and need to include as many different kinds of characters as possible (so that each choice contributes as much entropy as possible).
Latest Answers