Password strength is a measurement of the effectiveness of a password as an authentication credential. Specifically, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of length, complexity, and randomness.
Welcome to CWAnswers
CWAnswers is your guide to the sprawling world wide web. The directory aims to provide a useful guide made by users. You can share your knowledge as well - simply sign up and edit your first entry. For questions just contact the team at support - at - cwanswers.com.
Weblinks for Password Strength
Top 10 for Password Strength
Things about Password Strength you find nowhere else.
Select content modules
Password strength is a measurement of the effectiveness of a password as an authentication credential. Specifically, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of length, complexity, and randomness.
Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include: wiretapping, phishing, keystroke logging, social engineering, dumpster diving, side-channel attacks, software vulnerabilities etc.
Determining password strength
There are two primary ways passwords are created, automatically (using randomizing equipment) or by a human. The strength of randomly chosen passwords can be calculated with precision. More commonly, passwords are generated by asking a human to choose a password, typically guided by a set of rules or suggestions; an example is at account creation time for computer systems. In this case, only estimates of strength are possible, since humans tend to follow patterns in such tasks. In addition, lists of commonly chosen passwords are widely available for use in password guessing programs. All passwords on such lists are considered weak, as are passwords that are simple modifications of entries in such lists. Either can be quickly tried. For some decades, investigations of passwords on multi-user computer systems have shown that 40% or more are readily guessed using only computer programs, and more can be found when information about a particular user is taken into account during the attack. Fact: date=September 2008
Entropy or bit strength
It is standard in the computer industry to measure password strength in terms of information entropy, a concept from information theory. Instead of the number of guesses needed to find the password, the base-2 logarithm of that number is taken to be the equivalent of the number of "bits" in a password. A password with, say, 42 bits of strength as calculated this way would be as strong as a string of 42 random bits. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities. Thus, adding a bit of entropy (or its equivalent) to a password doubles the number of guesses required. On average, an attacker will have to try half the possible passwords before finding the correct one.
