Password entropy

Ask yourself the following question, which of these two passwords are more easily hacked?

  1. zXHq2$&#
  2. This Is A Password With Some Random Words

The answer might surprise you. If we assume that the user can create a password consisting of 8 characters and each character can be one of 26 capital letters, 26 small letters, 10 different numbers, and a total of 10 different special characters, we have a total amount of different possible combinations of 26+26+10+10 ==> 72 different characters. 72 to the power of 8 ==> 7.2e+14, becomes a number of 7,200,000,000,000,000 different combinations.

The English language contains roughly 150,000 different words. This implies that even assuming every single word in our above phrase starts out with a capital letter, this becomes a total of 150,000 to the power of 8 for a sentence with 8 words. The result of that becomes 2.5e+41. So in fact, that last password from above, is 27 orders of magnitudes more difficult to crack. This is a 1 with 27 zeros behind it!

The last password from above hence is 1,000,000,000,000,000,000,000,000,000 times more difficult to crack!

This implies that if an adversary needs 1 year to crack your 8 character password by brute force, he’ll need 1,000,000,000,000,000,000,000,000,000 years to crack your 8 words password!

Creating passwords with few characters, resembling “rubbish” such as our first example from above, actually provides false security. Simply since to a computer, trying out every single combination of 8 different random “gibberish characters”, is in fact a quite simple task. In addition, to a human being, the last password example from above, is probably hundreds of times easier to remember, than the first password, implying the user doesn’t even need to write down his password to remember it.

Last year the developer who “invented” the above “gibberish” password regime actually publicly put forth his regrets, because 8 random characters, simply doesn’t provide enough “entropy”, for a safe and secure password regime. Entropy is what we measure password strength in. In Phosphorus Five’s upcoming release, one of the things I have changed, is its (default“password regime”. Instead of requiring the user to type in at least on number, one capital letter, one small letter, and one special character, and at least 8 characters in size – I have simply removed all restrictions, except requiring the password to be at least 25 characters long. Allowing you to for instance use a password such as our second example from above. This allows you to use a password that is 1e+27 times more difficult to crack. In addition it allows you to use UNICODE characters, allowing you to create your passwords as Chinese sentences, Russian sentences, or (my native tongue) Norwegian sentences. Literally making it mathematically *impossible* to “crack” your password with brute force.

Now I am a Norwegian native, extending my 150,000 English base line with some additional 70,000 words (the vocabulary of Norwegian). In addition I know some Spanish, some few words of Greek, Italian, French, Arabic, Persian, etc. Extending my base vocabulary with an additional 100,000 per language, since an adversary unless he knows me in person, wouldn’t know what words I know in any of these languages. This becomes a base number of 150,000 for English, plus 100,000 for French, plus 120,000 for Spanish, 70,000 for Norwegian, 100,000 for Greek. Let’s round it of to 750,000. Then comes the fact of that I can start every word with a Capital letter, or not, start only the first word with a capital letter, or not, split words with “_”, “-“, or ” “, etc – Making my “base line” increase by at least 10x, which equals a base line of some 7.5 million. This becomes 1.0e+55, which equals the following number of combinations.


The number of elementary particles in the known observable Universe is 1.0e+80. This makes the job of trying to brute force a password with 8 words comparable to naming every single elementary particle in the observable universe! Still, I could easily remember my passwords, such as the following illustrates.


The above would in fact be a very simple password for my brain to remember, and it’s got **9** words, in three different languages, including one dialectic word … 😉

If you’re a system developer, and you’re about to create a password regime for your users, forcing your users to create “gibberish” passwords is actually counterproductive, and creates false security. The best security is in fact to (almost) entirely drop your password restrictions. Math has already scientifically proven this to be a fact!

The additional bonus of course becomes that it makes an entire subject of security obsolete; Per user based server side salts! Since it increases the entropy of your passwords to the point where a Rainbow/Dictionary attack, even having physical access to your password file, would require a computer larger than our observable universe to simply calculate all possible combinations, including a hard drive a 100 trillion times larger than a Galaxy!

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.