What is password strength?

Password strength is the measure of a password’s effectiveness against guessing or brute-force attacks. It is a function of length, complexity, and unpredictability.

General guidelines for strong passwords

The guidelines for choosing a good password are designed to make passwords harder to crack with intelligent guessing. The most common guidelines advocated by system security experts include:

• Using a minimum password length of 8 or more characters (if permitted).
• Including both upper and lowercase letters, numbers, and symbols (if permitted).
• Avoiding passwords that the user is already using on other websites or systems.
• Avoiding character repetition, keyboard patterns, dictionary words, and letter or number sequences. Additionally, avoid using usernames, relative names, pet names, or biographical information like ID numbers or dates.
• Not using information that is publicly associated with the user or the account. This also includes information that people may know to be associated with the user.

What constitutes a weak password

The examples below illustrate various weak passwords, all of which are based on simple patterns that result in extremely low entropy (i.e., a brute force algorithm could easily crack them).

• Default passwords such as “admin”, “guest”, “password”, etc.
• Dictionary words – a brute force algorithm could easily iterate over sample dictionaries until it found the correct password.
• Doubled words such as crabcrab, stopstop, treetree, passpass, etc.
• Common sequences from a keyboard row like “qwerty”, “12345”, “asdfgh”, etc.
• Phrases or words that identify the user, such as jsmith123, a birthday, cellphone number, one’s username, etc.

Password entropy

Password entropy measures the unpredictability of a password. It is based on the character set used (which is expansible by using numbers, symbols, and lowercase and uppercase letters) as well as the length of the password.

Password entropy is usually expressed in terms of bits. A password that is already known has zero bits of entropy, while one that c​ould be guessed on the first attempt (half of the time) would have only ​1 bit of entropy. A password’s entropy can be calculated by finding the entropy per character, which is a $log$ base $2$ of the number of characters in the character set used, multiplied by the number of characters in the password itself.

A password of high entropy is very difficult to crack. A password of low entropy is very easy to crack.