Password strength explained

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,600
The conclusion of my blog posts on the LastPass breach and on Bitwarden’s design flaws is invariably: a strong master password is important. This is especially the case if you are a target somebody would throw considerable resources at. But everyone else might still get targeted due to flaws like password managers failing to keep everyone on current security settings.

There is lots of confusion about what constitutes a strong password however. How strong is my current password? Also, how strong is strong enough? These questions don’t have easy answers. I’ll try my best to explain however.

If you are only here for recommendations on finding a good password, feel free to skip ahead to the Choosing a truly strong password section.

Contents​

Click to expand...
Choosing a truly strong password

As I mentioned already, we are terrible at choosing strong passwords. The only realistic way to get a strong password is having it generated randomly.

But we are also very bad at remembering some gibberish mix of letters and digits. Which brings us to passphrases: sequences of multiple random words, much easier to remember at the same strength.

A typical way to generate such a passphrase would be diceware. You could use the EFF word list for five dice for example. Either use real dice or a website that will roll some fake dice for you.

Let’s say the result is ⚄⚀⚂⚅⚀. You look up 51361 in the dictionary and get “renovate.” This is the first word of your passphrase. Repeat the process to get the necessary number of words.

Update (2023-01-31): If you want it more comfortable, the Bitwarden password generator will do all the work for you while using the same EFF word list (type has to be set to “passphrase”).

How many words do you need? As a “regular nobody,” you can probably feel confident if guessing your password takes a century on common hardware. While not impossible, decrypting your passwords will simply cost too much even on future hardware and won’t be worth it. Even if your password manager doesn’t protect you well and allows 1,000,000 guesses per second, a passphrase consisting out of four words (51 bits of entropy) should be sufficient.

Maybe you are a valuable target however. If you hold the keys to lots of money or some valuable secrets, someone might decide to use more hardware for you specifically. You probably want to use at least five words then (64 bits of entropy). Even at a much higher rate of 1,000,000,000 guesses per second, guessing your password will take 900 years.

Finally, you may be someone of interest to a state-level actor. If you are an important politician, an opposition figure or a dissident of some kind, some unfriendly country might decide to invest lots of money in order to gain access to your data. A six words password (77 bits of entropy) should be out of reach even to those actors for the foreseeable future.
Click to expand...
palant.info

Password strength explained

I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.
palant.info palant.info
 
  • +Reputation
  • Like
  • Thanks
Reactions: Jonny Quest, brambedkar59, roger_m and 10 others
I Walk MY Way

I Walk MY Way

Level 6
Verified
Well-known
May 27, 2013
284
Knowing the character's of the password is fine as long as they don't know what it is for. Kinda like me telling (you) my pin to my bank card as long as (You) don't know what bank or bank card, its for there is not much u can do with that information.
 
  • Like
Reactions: mkoundo
mlnevese

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,536
Knowing what composes a password does not compromise it. They still don't know the position, which characters are used and even less where that password is used. Also there is no login information provided so they don't know who you are. Even knowing the composition of a password, it would still take quite a long time to brute force it and it would be basically useless anyway.
 
  • Hundred Points
Reactions: I Walk MY Way

Similar threads

Ink
    • Like
New Update Unlock your 1Password vault with a Passkey - Open beta
Replies
1
Views
355
Passwords and passkeys
Bot
Bot
Orchid
    • Like
Password-less: Your Thoughts
Replies
24
Views
1,858
Passwords and passkeys
kC77
kC77
BigWrench
    • Like
    • Thanks
Unlimited Giveaway Sticky Password Premium is a free license for 1 year. For all devices
Replies
0
Views
735
Giveaways, Promotions and Contests
BigWrench
BigWrench

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top