How good are your passwords?

rndness222 (59)in #mathematics • 7 years ago

Sooo, how good are your passwords? The strength of a password is ultimately defined by how long time a "guessing algorithm" would take (on the average) to find it. Let's say you pick your password by choosing a famous (or semifamous) phrase from a famous (or semifamous) book. Then it is very hard to quantify how long it would take on the average for guessing algorithms (or a list of guessing algorithms) to find your password. The difficulty in quantifying how good your password is is in and of itself a security problem. However, if you pick your password at random, then it is easy to quantify how strong it is.

In general, I will assume that your password is chosen as a sequence of N so called symbols from a list of A symbols called an alphabet. Now, the alphabet could be simply our latin alphabet, or for example: a, b, c...z, A, B, C..., Z , !,£,%,&,/, 1...9 for example, i.e. alphanumeric symbols plus special characters. A is then the number of such symbols, for example in this case 25*2+10+5, assuming 5 special symbols, i.e. A=65. However, the symbols can be other things, they can be words or both letters and words if one wishes. However, one should then always have separators between the symbols so that two concatenated symbols don't equal another symbol in the alphabet for the following formulas to be correct. Remember, if the symbols are words, then the length of those words doesn't matter. The only thing that matters is that they are chosen at random and how many words are in the "alphabet" (wordlist) (A) and how many words are in the password (N).

I will always assume the "worst case scenario" that the alphabet is known to the public. So the only thing that is not known is which ordered sequence of symbols you get from the alphabet.

In order for your password to have maximum strength you must choose each symbol randomly, uniformly and independently from the alphabet. Uniformly means that all symbols have equal probability of being chosen, i.e. 1/A. Independently means that the probability of a symbol being chosen is independent of the chosen symbols preceeding it.

The number of possible passwords of length N from an alphabet A equals A^N. One way of quantifying the strength of the password is to compute the complexity, i.e. how large an ordered sequence of ones and zeroes (bits) needs to be in order to describe the password. If the complexity is C, the number of such sequences are 2^C. This must then equal the number of possible passwords, so we have:

2^C = A^N

This then gives the password's complexity in bits:

C = N*log2(A)

Here log2 is the base-2 logarithm. We see that the password's complexity increases linearly with the number of symbols, N, but only logarithmic with the size of the alphabet, A. So, the length of a password i far more important than the size of the alphabet the symbols are chosen from.

However you might say; what if i pick 30 letters at random and i get 30 a's?. There is a non-zero probability of this happening, but if it happens then your random-number generator is probably malfunctioning or you live in a weird tangent universe. Either way you should pick a different password since common sense says that 30 a's is a bad password (in fact, it has low so-called algorithmic complexity, or Kolmogorov complexity).

I you want to generate a random password you can use the free software Keepass. Be sure to check the tickbox "collect additional entropy" and use the mouse as a random source.