Password Strength Meters:

While password strength meters can help to warn users away from highly vulnerable passwords they are not always accurate. A password strength meter cannot warn users away from reusing the same passwords. Because they are usually based on heuristics (e.g., password length, uppercase, lowercase, numbers, special symbols) they can be easily fooled. The following password may be ranked positively simply because it is long. Other password strength meters may give poor scores to strong passwords (e.g., four random words) simply because they do not include numbers and special symbols. Password strength meters may be helpful for many users, but without knowing the underlying password distribution it is not possible to design a password strength meter that will always be accurate.

passwordStrengthMeter.png

Entropy

One way to estimate the strength of a password is to look at the entropy of the underlying password distribution. Entropy is defined as follows

entropy.png

If a user selects a password from a distribution with 30 bits of entropy then an adversary will need to use 2≠30 guesses on average to crack the userís password. While high entropy is a necessary condition for security (i.e., any password generator with low entropy is not secure). However, high entropy is not a sufficient condition for security. Consider the following password generator G≠1.

badEntropyGenerator.png

While G≠1 has high entropy (H(G≠1) = n) it should be clear that G≠1 is a highly insecure password generator. A user who uses G≠1 will pick the password mmmm 50% of the time so that an adversary could crack into the userís account 50% of the time by simply guessing mmmm!

entropyAttack.png

Even though entropy is an highly imperfect it is often used to measure the security of passwords, because it can often be estimated from empirical distributions.

Minimum Entropy

Minimum entropy is a better measure of password security. The minimum entropy of a distribution is defined as follows:

minimumEntropy.png

Our example, bad password generator G≠≠≠≠1 has low minimum entropy ( H≠min(G≠≠≠≠1) = 1). Indeed high minimum entropy guarantees (e.g., H≠min(G≠≠≠) = n) that with high probability the adversary will always need to use around 2n guesses to recover the userís password. This means that the password will resist offline password cracking attacks with high probability. However, minimum entropy does not consider the correlation between passwords. Consider the following generators which outputs two passwords (e.g., one for site A and one for site B):

 

 

 

 

 

 


G≠≠1 picks one very strong (2n bit) password which is used for both accounts and G≠≠2 picks two independent strong (n bit) passwords. Both generators have equivalent minimum entropy. While all three of the passwords x,y, and z should be strong enough to resist password cracking attacks generator G≠≠1 is vulnerable to phishing attacks. Suppose that an adversary is able to obtain the password for site B (e.g., website B was a malicious phishing site Paypaul.com or website B managed stored their password in the clear like rockyou.com). This adversary will also be able to compromise the userís account at site B.

 

minEntropyWeakness.png