### Password Strength Meters:

### While password
strength meters can help to warn users away from highly vulnerable passwords
they are not always accurate. A password strength meter cannot warn users away
from reusing the same passwords. Because they are usually based on heuristics
(e.g., password length, uppercase, lowercase, numbers, special symbols) they
can be easily fooled. The following password may be ranked positively simply
because it is long. Other password strength meters may give poor scores to
strong passwords (e.g., four random words) simply because they do not include
numbers and special symbols. Password strength meters may be helpful for many
users, but without knowing the underlying password distribution it is not
possible to design a password strength meter that will *always *be accurate.

### Entropy

### One way to
estimate the strength of a password is to look at the entropy of the underlying
password distribution. Entropy is defined as follows

### If a user
selects a password from a distribution with 30 bits of entropy then an
adversary will need to use 2^{30 }guesses on average to crack the user’s
password. While high entropy is a necessary condition for security (i.e., any
password generator with low entropy is not secure). However, high entropy is
not a sufficient condition for security. Consider the following password
generator G_{1}.

### While G_{1}
has high entropy (H(G_{1}) = n) it should be
clear that G_{1} is a highly insecure password generator. A user who
uses G_{1} will pick the password mmmm 50%
of the time so that an adversary could crack into the user’s account 50% of the
time by simply guessing mmmm!

### Even though
entropy is an highly imperfect it is often used to
measure the security of passwords, because it can often be estimated from
empirical distributions.

### Minimum Entropy

### Minimum entropy
is a better measure of password security. The minimum entropy of a distribution
is defined as follows:

### Our example, bad
password generator G_{1} has low minimum entropy (
H_{min}(G_{1}) = 1).
Indeed high minimum entropy guarantees (e.g., H_{min}(G) = n) that with high probability the adversary will
always need to use around 2^{n} guesses to recover the user’s password.
This means that the password will resist offline password cracking attacks with
high probability. However, minimum entropy does not consider the correlation
between passwords. Consider the following generators which outputs two
passwords (e.g., one for site A and one for site B):

###

###

###

###

###

###

### G_{1} picks
one very strong (2n bit) password which is used for both accounts and G_{2}_{}
picks two independent strong (n bit) passwords. Both generators have equivalent
minimum entropy. While all three of the passwords x,y, and z should be strong enough to resist password
cracking attacks generator G_{1} is vulnerable to phishing attacks.
Suppose that an adversary is able to obtain the password for site B (e.g.,
website B was a malicious phishing site Paypaul.com or website B managed stored
their password in the clear like rockyou.com). This adversary will also be able
to compromise the user’s account at site B.

###