Systems that use passwords for
authentication must have some way to check any password entered to gain access. If the valid passwords are simply stored in a system file or database, an attacker who gains sufficient access to the system will obtain all user passwords, giving the attacker access to all accounts on the attacked system and possibly other systems where users employ the same or similar passwords. One way to reduce this risk is to store only a
cryptographic hash of each password instead of the password itself. Standard cryptographic hashes, such as the
Secure Hash Algorithm (SHA) series, are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password. However, knowledge of the hash value lets the attacker quickly test guesses offline.
Password cracking programs are widely available that will test a large number of trial passwords against a purloined cryptographic hash. Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. For example, in 2010, the
Georgia Tech Research Institute developed a method of using
GPGPU to crack passwords much faster. By 2011, commercial products were available that claimed the ability to test up to 112,000 passwords per second on a standard desktop computer, using a high-end graphics processor for that time. Such a device will crack a six-letter single-case password in one day. The work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable GPUs. Special
key stretching hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not. Another situation where quick guessing is possible is when the password is used to form a
cryptographic key. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. For example, one commercial product claims to test 103,000
WPA PSK passwords per second. If a password system only stores the hash of the password, an attacker can pre-compute hash values for common password variants and all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can be efficiently stored using
rainbow tables. This method of attack can be foiled by storing a random value, called a
cryptographic salt, along with the hash. The salt is combined with the password when computing the hash, so an attacker precomputing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Many authentication systems in common use do not employ salts and rainbow tables are available on the Internet for several such systems.
Entropy as a measure of password strength Password strength is specified by the amount of
information entropy, which is measured in
shannon (Sh) and is a concept from
information theory. It can be regarded as the minimum number of
bits necessary to hold the information in a password of a given type. A related measure is the
base-2 logarithm of the number of guesses needed to find the password with certainty, which is commonly referred to as the "bits of entropy". A password with 42 bits of entropy would be as strong as a string of 42 bits chosen randomly, for example by a
fair coin toss. Put another way, a password with 42 bits of entropy would require 242 (4,398,046,511,104) attempts to exhaust all possibilities during a
brute force search. Thus, increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker's task twice as difficult. On average, an attacker will have to try half the possible number of passwords before finding the correct one. In the last expression,
log can be to any
base. : A
binary byte is usually expressed using two hexadecimal characters. To find the length,
L, needed to achieve a desired strength
H, with a password drawn randomly from a set of
N symbols, one computes: L = {\left \lceil \frac {H}{\log_2 N} \right \rceil} where \left \lceil \ \right \rceil denotes the mathematical
ceiling function,
i.e. rounding up to the next largest
whole number.
Human-generated passwords People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits. Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. A
uniform distribution would have had each character being used about 900,000 times. The most common number used is "1", whereas the most common letters are a, e, o, and r. The full strength associated with using the entire ASCII character set (numerals, mixed case letters, and special characters) is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps upper and lower-case letters, numbers, and non-alphanumeric characters. Such a requirement is a pattern in password choice and can be expected to reduce an attacker's "work factor" (in
Claude Shannon's terms). This is a reduction in password "strength". A better requirement would be to require a password
not to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). If patterned choices are required, humans are likely to use them in predictable ways, such as capitalizing a letter, adding one or two numbers, and a special character. This predictability means that the increase in password strength is minor when compared to random passwords.
Password Safety Awareness Projects Google developed the online interactive game Interland to teach children online safety, covering topics like cyber bullying, basic hacking, and
information security. On the chapter called
Tower Of Tresure, for example, it is advised to use unusual names paired with characters like (₺&@#%) with a game.
NIST Special Publication 800-63-2 NIST Special Publication 800-63 of June 2004 (revision two) suggested a scheme to approximate the entropy of human-generated passwords: Using this scheme, an eight-character human-selected password without uppercase characters and non-alphabetic characters OR with either but of the two character sets is estimated to have eighteen bits of entropy. The NIST publication concedes that at the time of development, little information was available on the real-world selection of passwords. Later research into human-selected password entropy using newly available real-world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords. The June 2017 revision of SP 800-63 (Revision three) drops this approach.
Usability and implementation considerations Because national keyboard implementations vary, not all 94 ASCII printable characters can be used everywhere. This can present a problem to an international traveler who wished to log into a remote system using a keyboard on a local computer . Many handheld devices, such as
tablet computers and
smart phones, require complex shift sequences or keyboard app swapping to enter special characters. Authentication programs can vary as to the list of allowable password characters. Some do not recognize case differences (e.g., the upper-case "E" is considered equivalent to the lower-case "e"), and others prohibit some of the other symbols. In the past few decades, systems have permitted more characters in passwords, but limitations still exist. Systems also vary as to the maximum length of passwords allowed. As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember, an issue compounded by password complexity requirements, may be forgotten and so are more likely to be written on paper, which is a security risk if the paper is improperly secured. == Required bits of entropy ==