Password Complexity versus Password Entropy
** A huge thanks to the MS Crypto Board for all of the hand-holding and explanations -- especially David LeBlanc, Michael Scovetta, and Marsh Ray.
I've had the opportunity to write a number of password generating functions. Many of the widely available built-in capabilities do not generate cryptographically secure passwords. Sadly, they often generate passwords that are rather easily capable of being re-calculated with the right tools or a smart mathematician/cryptographer. I'm writing this blog post because of some of the work experiences I've had. I've worked with customers who've had very stringent password policies as well as customers who've had laughable password policies. Now, whenever I start talking about passwords, someone always stands up and says, "...but passwords are dead thanks to 2-factor authentication/multi-factor authentication." And while I'd agree with this statement in principle, I can't in practice. Until all facets of every application and operating system finally kill off the plain-old password, all of the age-old arguments about password complexity, use, and crack-ability should still be of concern. And given some of the behaviors I've seen customers employ, passwords should be at the fore-front of some organizations' concerns.
An example of a case where passwords are still employed and still a very critical security concern for organizations are the passwords for local administrators. Why? ...because this is still an integral part of a hackers' privilege escalation path. Why? ...because often times, administrators set this password to the same value on all systems in an office; sometimes all workstation systems; sometimes all Windows platforms in a domain; sometimes all Windows platforms in an enterprise. And sometimes, they distribute this password in clear-text across the network and/or store the password in a reversibly encrypted fashion (e.g. Group Policy). Why is this bad?
- Because if you set the same password on all systems in a logical group, then once an attacker knows the password from one system, he effectively owns all of those systems.
- Because if you're sending the password in clear-text, any sniffer on the network can intercept and see the password transiting in clear-text.
- Because if you're setting the password via Group Policy then this means that you are setting the password on a group of machines to the same value and it's stored locally in reversibly encrypted format.
Without sliding much farther off-topic, to fix all of the aforementioned problems with managing the local administrator password, Microsoft recently released the Local Admin Password Solution (LAPS): https://www.microsoft.com/en-us/download/details.aspx?id=46899
Note that even if you've disabled/renamed/etc. the built-in administrator account (the S-1-5-*-500), any account with local administrative privileges is still just as important. Why? Because it's the "ADMINISTRATOR" role that is important to protect, not what SID the account has.
So... stepping off my soap-box about why passwords are still an important security consideration, lets talk about password complexity and how it relates to password entropy. For the purpose of this post, the following definitions will be used:
- Password Complexity: the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess.
- Password Entropy: the level of chaos or randomness present in a system -- in this case, a string of characters that make up a password.
- Bits of Entropy: the mathematical measurement, in bits, of how difficult it is to crack a password.
| Number of Possible Passwords | Password Entropy (bits) |
CL |
log(C) / log(2) * L |
C = Size of Character Set
L = Length of the Password
So there are a couple of really interesting things you might have noticed:
1. Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used.
2. ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password's ability to be cracked.
The following table represents the most commonly used character-sets for re-type-able passwords:
- Numbers: 0-9
- Upper Alphas: A-Z
- Lower Alphas: a-z
- Special Characters: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /
So the total character size typically ends up being: 10 + 26 + 26 + 32 = 94. Often times, certain special characters are excluded because they are difficult to re-use. Sometimes Unicode characters are used but not often in passwords that need to be typed because of the added complexity (e.g. ALT+0156 = œ).
With all of that being said, lets start looking at some combinations of relationships between password complexities, lengths, and resulting password combinations as well as password complexities, lengths, and resulting entropies:
| Password Length | ||||||||
| 8 | 12 | 16 | 20 | 24 | 28 | 32 | ||
| Alphanumeric + Specials | 94 | 6.10E+15 | 4.76E+23 | 3.72E+31 | 2.90E+39 | 2.27E+47 | 1.77E+55 | 1.38E+63 |
| Base64 | 64 | 2.81E+14 | 4.72E+21 | 7.92E+28 | 1.33E+36 | 2.23E+43 | 3.74E+50 | 6.28E+57 |
| Alphanumeric | 62 | 2.18E+14 | 3.23E+21 | 4.77E+28 | 7.04E+35 | 1.04E+43 | 1.54E+50 | 2.27E+57 |
| Upper and Lower Alphabet | 52 | 5.35E+13 | 3.91E+20 | 2.86E+27 | 2.09E+34 | 1.53E+41 | 1.12E+48 | 8.17E+54 |
| Upper or Lower Alphabet | 26 | 2.09E+11 | 9.54E+16 | 4.36E+22 | 1.99E+28 | 9.11E+33 | 4.16E+39 | 1.90E+45 |
| Numbers | 10 | 1E+08 | 1.00E+12 | 1.00E+16 | 1.00E+20 | 1.00E+24 | 1.00E+28 | 1.00E+32 |
| Possible Passwords | ||||||||
| Password Length | ||||||||
| 8 | 12 | 16 | 20 | 24 | 28 | 32 | ||
| Alphanumeric + Specials | 94 | 52.4367 | 78.65507 | 104.873 | 131.092 | 157.3101 | 183.528 | 209.7468 |
| Base64 | 64 | 48 | 72 | 96 | 120 | 144 | 168 | 192 |
| Alphanumeric | 62 | 47.6336 | 71.45036 | 95.2671 | 119.084 | 142.9007 | 166.717 | 190.5343 |
| Upper and Lower Alphabet | 52 | 45.6035 | 68.40528 | 91.207 | 114.009 | 136.8106 | 159.612 | 182.4141 |
| Upper or Lower Alphabet | 26 | 37.6035 | 56.40528 | 75.207 | 94.0088 | 112.8106 | 131.612 | 150.4141 |
| Numbers | 10 | 26.5754 | 39.86314 | 53.1508 | 66.4386 | 79.72627 | 93.014 | 106.3017 |
| Bits of Entropy | ||||||||
When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements. To further this point, if you're using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password's length. To say it another way, a password that is 16 characters long made up of only numbers provides the same level of difficultly-to-crack as an 8 character password made up of the possible 94 possible characters.
So hopefully this helped clear up why:
- Password lengths are significantly more important than password complexity requirements
- Password complexity only prevents users from creating easy-to-guess passwords
- Password complexity actually reduces the total number of possible passwords in a key-space
- In theory, the most secure password policy would define a longer-length password with no other complexity requirements with a very large dictionary that consists of all easily-guessable passwords
** NOTE ** - All of the aforementioned assertions assume the passwords are generated by a cryptographically secure algorithm and not stored in a reversible-encrypted or clear-text format.