How Strong is Your Password?
I think in this digital age, it's the bare minimum to have a strong password to ensure your digital assets are safe. Of course it is already known that humans are very bad random number generators, and to have a very strong password you need to generate truly random uniform numbers with no correlation between characters. Otherwise it's predictable, thus your password can be easily guessed.
Intro
Now the question becomes how do you know which kind of password is strong and which is not. So there are websites like this:
But you should NEVER enter your password there. I mean how stupid can you be to enter your password into a foreign website? You should never use websites like that, even if they promise they won't do anything evil, you can still not trust them.
Also you should not even enter a similar password there, even if you don't enter your real password there, but a look-alike, that already damages the strength of your real password, because if some hacker correlates your IP address with your "look-alike password" , if he were to hack your stuff, he already has something to work with.
- So if your real password is like:
St33m!t!$c00l - And you enter there a look-a-like password to check it's strength:
Steemitiscool
Then you have already damaged, massively, the strength of your real password. A potential hacker has already enough information to guess your real password from this. So don't ever enter your password anywhere else other than where it is supposed to be entered.
What is Password Strength?
I have created a tool a while ago to measure it, and it runs totally offline / locally, you can check it out, but I feel like it's not that accurate, I'll explain later why not:
The strenght of randomness in information theory is measured by the Shannon Entropy, so if your password is a needle, the entropy measures the size of the haystack. The bigger the haystack, the harder to find the needle. And we need a really big haystack since a good computer can already crack billions of passwords / second.
The unit for entropy is a bit
A bit is the basic unit of information, it measures how much information there is, or how complex your haystack is in this situation. The more bits of entropy your password has, the stronger it is, and the less likely it is that it can be cracked.
A bit is a base 2 number, a binary, and it can be easily calculated using Log2(x), where X is the size of the haystack, the total combinations that your password can take.
Measuring Password Strength?
To measure the strength of your password it's a simple calculation. First you count the number of characters in it. We will call this length, so if your password is 20 character long then the length is 20.
Then you need to check out what it is made of, so I'll group here the different kind of characters, there are only 4 classes basically:
- Lowercase letter (a,b,c,d...)
- Uppercase letter (A,B,C,D...)
- Number (1,2,3,4....)
- Symbols (!,@,#,$,...)
Obviously the more complex it is, the more stronger, but first you need to determine what kind of characters it has, if it has characters from both 4 classes, then it is the strongest.
Now we need to know what is the entropy content of each character class. Well we will look at the ASCII table, so if you are Chinese or using other than Latin characters, then I am sorry this tutorial is not for you, I only calculate here the entropy for English keyboard characters. But the method is similar, so you could calculate it for Chinese or other characters as well.
| Class | Total Characters | Bits / Character |
|---|---|---|
| Lowercase | 26 | 4.7004397 |
| Uppercase | 26 | 4.7004397 |
| Numbers | 10 | 3.3219281 |
| Symbols (excluding space) | 32 | 5 |
This is with printable ASCII characters, as in characters used in English, characters like ä or Ç that they use in German or Turkish are not counted, only Latin characters. If your password is made up for these extra characters, then you have to count them and measure their entropy by taking the Log2(x) of the number.
Now all you need is just add up the bits depending on how many of these characters your password has. So if we take the example password above:
St33m!t!$c00l
That is: 4 numbers, 5 lowercase, 3 symbols, 1 uppercase = 4*3.3219281 + 5*4.7004397 + 3*5 + 1* 4.7004397 = 56.4903506 bits of entropy.
Now the rule of thumb is this. Your password must be 100 bits strong, bare minimum, but most people recommend 128 bits. A used Bitcoin address is 128 bits strong, so it would be a good idea to make your password this strong as well.
Supercomputers can already crack anything below 80 bits, and with the advent of possible quantum computers, their capacity only grows, so a password above 100 bits is the current safety threshold.
So obviously the password above can be easily cracked. In fact it's so weak that it can even be cracked by an average computer. The password above has an expectancy to be cracked after 101225515277447000 tries. A computer costing about 3000$ can have 50 TerraFlops/s which is 5*1012 floating point operations per second. The password above would be cracked easily in 337.42 minutes on average, probably faster if they are lucky. So a 3000$ computer in 2017 can easily crack 56 bits of entropy. Imagine what a supercomputer could do.
We always compare things to the fastest supercomputer there is which is: Bitcoin.
Bitcoin is a supercomputer that operates at 81.36634763 ZettaFlops/s, of course the Bitcoin network itself can’t be used to crack passwords, but it’s a good comparison, since you bet if people could construct a Bitcoin network so big, Governments probably already have something of the same scale that can crack passwords.
So the capacity of Bitcoin Network could theoretically crack 81366347630000000000000 combinations per second.
Now a 128 bit password has enough complexity that the Bitcoin Network itself would have to non-stop work to try to crack it for 132,613,585 years. Probably a bit less if they are lucky but still, 132 million years I’d say it’s a pretty strong evidence that that password is very safe.
A 100 bit password on the other hand has a 6 months warranty if the entire Bitcoin network were to try to crack it. But of course it probably won’t, of course unless your password hides something that is worth more than 6 months of mining, otherwise it’s probably a bad idea to spend that much energy to crack a password, it’s economically unfeasible.
Caveat
This is usually a good way to measure entropy in a password, but this is only true if the password is random. If there is correlation between the characters, then this methodology doesn’t stand:
For example if your password would be a verse from Rihanna’s Umbrella song:
No clouds in my storms
Let it rain, I hydroplane into fame
Well guess what this might look like a long strong password, but it’s actually extremely weak, because it’s already known.
So this password would have 0 or very low entropy, probably a few bits. It would be trivial to crack it, since a password cracker probably already has a long list of pop song lyrics since many stupid people use pop song lyrics as their password.
Entropy as I said measures the size of the haystack, and this only holds true if the bits of information in the system are uniformly random. There is no randomness if a pop song lyrics since the next character is easily predictable.
So it’s probably better if you use a password manager or a dice to create passwords and not rely on public information, which has 0 or low entropy by default. Mixing information could help but unless you know what you are doing, I’d just recommend to use a password manager instead.
Sources:
https://pixabay.com
keepass with a nice 32+ character alpha numeric password which you spend weeks memorizing.
A way to use strong passwords without the concern of forgot them is using a password manager like LastPass or KeePass
I have never used a password manager before. Do you need to keep them on a computer with no internet connection or are they just encrypted?
Password managers are mostly for online websites, so you can keep them on an online computer and they will be encrypted.
Private keys are what should be offline, like BTC private keys.
If that is the case, then in theory could you not just hold your private keys the same way? If the security is good enough for one, why not the other?
Off for a round of golf so probably won't get back to you but thanks for the answer ;)
No because the private key is the asset itself, it's revealed, then the asset is lost.
If a password is revealed, it's not necessarily a loss of an account, since it can still by recovered from the e-mail. So they would need to steal your e-mail acount too.
So a password requires less security than a private key.
So in essence those password managers are no competition to the old pen and paper :)
I understand the difference between a password and private key of course. Just feel like if it is not good enough to store your most valuable data then is it really worth the risk.
The password manager is to generate the password mostly, and to store them in an organized way.
If the password is on a paper it can be read by others, so it depends on your access control, which one do you trust mor your encrypted computer or the door lock on your door?
It's an interesting security problem, I think I have gave a few tips about this issue in my Bitcoin Risk analysis article:
Would of been so funny if this was you asking people to tell you there passwords so can "check" if they are strong ^^
Great post though.
It's hilarious that we went from keeping all our information on paper, to keeping it on hard drives, and now we need it back on paper ^^
Very strong is mine. Even me, Sometimes I am struggling to login 😂
Correct horse battery staple