Password Strength Meters:
strength meters can help to warn users away from highly vulnerable passwords
they are not always accurate. A password strength meter cannot warn users away
from reusing the same passwords. Because they are usually based on heuristics
(e.g., password length, uppercase, lowercase, numbers, special symbols) they
can be easily fooled. The following password may be ranked positively simply
because it is long. Other password strength meters may give poor scores to
strong passwords (e.g., four random words) simply because they do not include
numbers and special symbols. Password strength meters may be helpful for many
users, but without knowing the underlying password distribution it is not
possible to design a password strength meter that will always be accurate.
One way to
estimate the strength of a password is to look at the entropy of the underlying
password distribution. Entropy is defined as follows
If a user
selects a password from a distribution with 30 bits of entropy then an
adversary will need to use 2≠30 guesses on average to crack the userís
password. While high entropy is a necessary condition for security (i.e., any
password generator with low entropy is not secure). However, high entropy is
not a sufficient condition for security. Consider the following password
has high entropy (H(G≠1) = n) it should be
clear that G≠1 is a highly insecure password generator. A user who
uses G≠1 will pick the password mmmm 50%
of the time so that an adversary could crack into the userís account 50% of the
time by simply guessing mmmm!
entropy is an highly imperfect it is often used to
measure the security of passwords, because it can often be estimated from
is a better measure of password security. The minimum entropy of a distribution
is defined as follows:
Our example, bad
password generator G≠≠≠≠1 has low minimum entropy (
H≠min(G≠≠≠≠1) = 1).
Indeed high minimum entropy guarantees (e.g., H≠min(G≠≠≠) = n) †that with high probability the adversary will
always need to use around 2n guesses to recover the userís password.
This means that the password will resist offline password cracking attacks with
high probability. However, minimum entropy does not consider the correlation
between passwords. Consider the following generators which outputs two
passwords (e.g., one for site A and one for site B):
one very strong (2n bit) password which is used for both accounts and G≠≠2≠≠
picks two independent strong (n bit) passwords. Both generators have equivalent
minimum entropy. While all three of the passwords x,y, and z should be strong enough to resist password
cracking attacks generator G≠≠1 is vulnerable to phishing attacks.
Suppose that an adversary is able to obtain the password for site B (e.g.,
website B was a malicious phishing site Paypaul.com or website B managed stored
their password in the clear like rockyou.com). This adversary will also be able
to compromise the userís account at site B.