The best passwords and passphrases are long and are derived from a large character set. Recalling that “
X^Y” means raise X to the power of Y, “
X/Y” means X divided by Y, and “
X*Y” means X multiplied by Y, the following formulas demonstrate their importance:
PossiblePWs = CharsInSet ^ PWLength
PWEntropyBits = log(CharsInSet) / log(2) * PWLength
Note: Dividing the common (base-10) log of a number by the common log of 2 gives a binary (base-2) log. The log2(PWLength) is the number of bits.
First: Choose your password from a big set of characters. Use only digits? 10 characters. Use only lowercase or only uppercase? 26 characters. Add digits:
26+10=36 characters. Both lowercase and uppercase:
26*2+10=62. Add the space character:
26*2+10+1=63. Add every punctuation mark on your keyboard:
26*2+10+1+32=95. That doesn’t mean you have to use all 95 characters, but if you draw from them generously you increase the difficulty of someone to guess.
Second: Length is most important. It is the multiplier for entropy bits. It is the exponent for possible PWs. The character set size is only the base. Increasing the base helps, but length magnifies. Using a passphrase instead of a password adds space characters, making it that much harder to guess but probably easier to remember. The more bits generated, the harder it is to guess.
The table assumes using a passphrase drawn from the 95-character set:
PWLen PWs Bits
----- --- -----------
1 95 6.6 (7)
2 9e+3 13.1 (14)
3 857e+3 19.7 (20)
4 81e+6 26.3 (27)
5 7e+9 32.8 (33)
10 59e+18 65.7 (66)
15 463e+27 98.5 (99)
20 3e+39 131.4 (132)
25 27e+48 164.2 (165)
30 214e+57 197.1 (198)
35 1e+69 229.9 (230)
40 12e+78 262.8 (263)
50 769e+96 328.5 (329)
Note: E-notation is a form of scientific notation. The “
e” stands for “exponent” and means the following number is an exponent of 10. The number following it is how many places to move the decimal point; positive moves to the right making the number bigger, negative moves to the left making the number smaller. So,
9with the decimal point moved
3places to the right is
9000. Engineering notation uses exponents of multiples of 3, so
Xe+9is billions, and so on.
A one-character passphrase is, of course, silly. It only needs 7 bits to store the 95 possible characters because
2^7 is 128, so 7 bits can hold 128 different characters. A two-character passphrase is only slightly less silly, offering over 9,000 characters, but only 14 bits are needed to store the 16,384 possibilities. A computer could, if it used one second to make each try, check them all in about 2.5 hours. One is bound to work before then. Similarly, for 3-character passwords, ~238 hours. At least with a 4-character password, trying all the variants would take ~22,625 hours (over 2.5 years). That 5th character jumped the count up nicely, though, increasing the time to try all of them in ~2,149,391 hours (~245 years).
Just because rules allow password length minimums of 6 or 8 doesn’t mean you should use that length. Who’s to say that a whole second is needed for each try? Look at GPUs.
Things get more interesting when using 10, 15, even 20 characters. A rule of thumb is for the passphrase to require at least 128 bits. Using 19 characters requires 125 bits. The table shows what happens when you add one more character to that. Nobody says you must have a 30-, 40-, or even 50-character passphrase, but having a long passphrase that draws generously from the 95-character set that you can type on your keyboard makes your passphrase extremely difficult to guess by brute force. To see the long character effect, run tests: just type in one letter of the alphabet repeatedly. This points out that the length alone is good, but variance through the total character set improves the difficulty to guess. More interesting: try the entropy of actual phrases.
Don’t select a passphrase that someone who knows you could guess. Worries about dictionary words is pointless when you write a phrase that you can remember but someone who knows you cannot guess. Every word you write can be in the dictionary, but the combination of words, the phrase length, and the total symbols you choose to put in make it unreasonably difficult (directly).
With difficult to crack passphrases, it’s ridiculous to change them frequently. But, with different passphrases for each account you use, having many passphrases makes remembering them more difficult, just as changing them often makes recall more difficult. Don’t cycle a set of three or four passwords. Pick something unique each time. But, again, there comes the remembering problem.