Password Entropy: The Value of Unpredictable Passwords
Password entropy is a measurement of how unpredictable, and therefore un-guessable, a password is.
Most of us don’t have passwords that pass the entropy test. For example, “123456” and “qwerty” were two of the top passwords used in 2021.
By learning more about what password entropy is and how to measure it, you’ll discover how to keep critical information safe from hackers.
Let’s dig in.
What does password entropy mean?
You want to shield your data. Hackers want to steal it. How can you build a strong wall of protection? Consider password entropy.
Password entropy is a measurement of difficulty. A hacker might try:
-
Simple guesses. The hacker uses well-known passwords like “password” to unlock access.
-
Brute force. The hacker uses a program that submits dozens of guesses every minute based on mathematical probabilities.
-
Research. The hacker digs through your social media accounts and online presence to find out your street address, pet’s name, and other common data points used in passwords.
Password entropy measures the likelihood that these hacking methods will work and the intruder gets in.
Password entropy rules
IT managers know all about password entropy, and they create regulations that force employees to pick more complex codes.
A well-known set of guidelines suggests passwords should be:
-
Assigned. If the system hands out a password (rather than allowing people to pick one), the password can be shorter.
-
Long. If the person gets to choose a password, it should contain at least eight characters.
-
Edited. The company creates a blocklist of commonly used (and insecure) passwords that people can’t pick.
It’s tempting to build on these rules and make guidelines stricter. Unfortunately, employees find workarounds. They reuse passwords, write them down, or share them when they can’t remember them easily.
Ideally, you’ll teach your employees about password entropy so they can choose a password that is both safe and somewhat easy to remember.
Try a password entropy calculator
Math plays a role in calculating password entropy. The formula may look complicated, but the underlying concepts are easy to understand.
Password entropy is typically expressed in bits. Low scores indicate passwords that are very easy to crack. The higher you rank, the harder a hacker must work.
A password entropy calculator equation looks like this:
E = log2(RL)
-
E stands for password entropy.
-
R stands for possible characters within the password.
-
L stands for the number of characters in your password.
Enhance entropy in two steps:
-
Add more character types. Include uppercase and lowercase letters, special characters, and numbers.
-
Increase the length. Longer passwords have higher scores than shorter versions.
Aim for a score of 60 or higher. But remember: Don't make the password so long and complicated that you'll never remember it.
At Okta, we believe in comprehensive password management. Find out more about what we recommend here. And learn why we think that the best password is no password at all in our whitepaper Move Beyond Passwords.
References
10 Most Common Passwords in 2021. (April 2021). Becker's Health IT.
Digital Identity Guidelines. (June 2021). NIST.
Calculating Password Entropy. Pleacher.