The average person will experience one or more breaches of their private online accounts in their lifetime. What’s the main culprit? Weak passwords. Every day that technology advances, the time it takes hackers to discover your password decreases. The best way to avoid this is by using passwords that are nearly impossible to guess. But how do you create a strong password? It’s simple – if you understand the fundamentals behind password security.
It Mostly Comes Down to Password Entropy
What Is Entropy?
If you’ve ever heard an expert talk about password strength, you likely heard mention of the phrase “password entropy.” Entropy, in this context, is based on information theory and is used by security experts to discuss password strength. It is a term that describes the difficulty of predicting data. It’s affected both by the data itself, as well as known ways to guess that data.
Entropy essentially applies a numerical value to the difficulty of deciphering a password. Another way to think about password entropy is to think of it as a score. The higher your score, the more difficult your password is to obtain through known cracking methods.
How Is It Calculated?
For passwords, security experts quantify entropy using “bits.” It can be confusing, as bits is a term used in computing as well. However, for this context, bits refer to a “unit of information,” specially based on predictability. The coin-flip analogy is a helpful way to understand it:
Imagine you have a coin. Flipping it in fair method gives you a 50 percent chance of heads or tails. A fair coin flip is unpredictable (despite being only two potential outcomes), so a single coin flip is considered one bit of entropy. If you flip it again, the combined result of both coin flips would be two bits. A third flip would be three bits, and so on.
It’s important to note that the result of the coin flip is irrelevant for calculating entropy. The point is that the creation of that result is random, making it necessary to try all, or most, resulting combinations at random to crack it.
If you had a trick coin with heads on both sides, the result would always equal 0 entropy. This is because the outcome is not random – it’s predictable and determined. Likewise, a coin that was weighted in some way to make it land heads-up approximately 75 percent of the time would generate bits of entropy, but at a lower rate per flip, because you could more easily predict results.
To create a strong password with high entropy, the goal is to avoid patterns so that a program or person attempting to guess your password must attempt several iterations of small changes before having a chance at cracking it.
For instance, here are the number of possible outcomes from just five fair coin flips, keeping in mind that for passwords, the order of each individual character matters:
|4 Heads, 1 Tails||HHHHT, HHHTH, HHTHH, HTHHH, THHHH|
|3 Heads, 2 Tails||HHHTT, HHTTH, HHTHT, HTHTH, HTHHT, HTTHH, TTHHH, THHHT, THTHH, THHTH|
|2 Heads, 3 Tails||HHTTT, HTTHT, HTHTT, HTTTH, THHTT, THTTH, THTHT, TTHTH, TTHHT, TTTHH|
|1 Heads, 4 Tails||HTTTT, THTTT, TTHTT, TTTHT, TTTTH|
The total result is 32 combinations out of just five bits of entropy. If your password were one choice out of this list, it would be slightly time consuming for a person to guess, though effortless for a computer to cycle through.
Adding just one bit of entropy, an additional coin toss, doubles the potential outcomes to 64, increasing your entropy further. A seventh would bring the total possibilities to 128. This exponential increase is why entropy is important: it represents a general estimation of how many possibilities exist based on the input.
As of right now, around 80 bits of entropy is considered a very secure password. To give you an example of what that would look like if generated through coinflips, here is a randomized result of 80 coinflips:
Imagine trying to guess that exact sequence! With 80 coinflips, there are a total of 1,208,925,819,614,629,174,706,176 potential outcomes. That’s the power of exponential increases and why it’s relevant to password security.
Necessary Elements to Create a Strong Password
Increasing entropy is the key to create a strong password. Unlike a coin toss, the most common input for passwords isn’t a 50/50 guess: it’s around 1 in 95. This is because most passwords consist primarily of words using upper and lowercase letters, numbers and special characters. Based on this, the best ways to increase entropy and create a strong password are:
Every character you add to your password adds some value of entropy. If only using the alphabet, a password of five characters will always be weaker than a password of eight characters. Most modern websites have password length restrictions, preventing you from creating a password of under six to eight characters. This is because it sets a higher baseline for permutations of letters to guess an individual user’s password.
However, the strength of a long password can be undermined by patterns and commonness. A password of “aaaaaaaaaaa” meets the criteria for length on most websites, but would be quickly cracked by most attempts. Why? For starters, it follows a very simple pattern of key repetition. More importantly, it’s on a list previously-cracked passwords. That list is often used as part of dictionary attacks when password crackers are deployed.
While length is often a great tool to create a strong password, using dictionary words or long passwords that are common make you a target of tools that factor these types of passwords into their system. Most cracking tools that are targeting a large list of users versus individual ones will attempt the most common passwords first.
Avoiding dictionary words, adding unpredictable symbols, letters or capitalization can all increase randomness and therefore create a stronger password.
Like randomness, complexity increases the strength of your password by avoiding potentially guessable strings of characters. One way to think of complexity is to think about the “buckets” of relevant characters a hacker would need to guess your password:
- Using only lowercase alphabet – 26 Potential Characters
- Using Mixed Case* – 52 Potential Characters
- Alphabet + Numbers – 36 Potential Characters
- Alphabet + Numbers & Mixed Case – 62 Potential Characters
- Alphabet + Numbers + Special Characters & Mixed Case – 95 Potential Characters**
Every additional bucket of characters you add to your password by including capitalization, numbers and special characters increases the strength of your password. This exponentially increases the difficulty of guessing your password, especially when combined with the other core elements such as increasing length and randomness.
*Mixed case refers to including both uppercase and lowercase letters.
**The range of permitted special characters varies from site to site, but most allow around 32, the standard special characters on an English keyboard.
If you’re being targeted by someone attempting to get into your account specifically, the biggest mistake you could be making is using a password associated with you and your life. Many people refer to easy-to-remember words or ideas for their passwords:
- Family Member Names
- Pet Names
- Favorite Athletic Teams
- Street Name
While in a large pool of targets, these aren’t likely to make you more vulnerable than any weakness with the passwords themselves, it changes dramatically if your accounts are being singled out. This is because any person motivated to target you can often save immense amounts of time running algorithmic attacks by inputting information they know about you.
With the current status of social media, online databases and more, it’s effortless to collect dozens of pages worth of information about your personal life. Once they know important people, places and things associated with you, they can run those through randomizers to add minor variations, like numbers, with all known words. This can reduce the need of searching billions of passwords to millions or thousands – something that can change the computing time needed from years to months or even just hours.
The solution? Avoid obvious connections to yourself when creating a password.
Avoid the Mess – Create a Strong Password Automatically
After reading all that, you may be wondering if it’s possible for humans to create a truly strong password. It is! However, it’s far easier for a computer to do it for you.
While computers can’t technically produce anything that’s truly random, they can generate pseudorandom passwords that are:
- Functionally Randomized
- Disassociated from You
That incorporates all of the elements of creating a strong password and doesn’t require you to do anything… except remember it. These automatically generated passwords are essentially uncrackable, assuming the generator requires around 80 bits of entropy or more.
Of course, remembering these exceptionally complex passwords can be hard. So, the best way to keep track of them is with a password manager. As long as your third-party password manager is secure, there’s nothing to worry about.
Protect Your Passwords with a 14-Day Free Trial
Do you want to use the strongest passwords possible without the stress of remembering them? Techferno stores an unlimited number of passwords and other sensitive information, protected by a unique system of secure layers that keeps them safe.
Designed for agencies, IT companies and any other business that manages several passwords, Techferno allows you to share access to passwords and more while retaining the protection of our state-of-the-art secure platform.