Warning: Creating default object from empty value in /nfs/c09/h03/mnt/132495/domains/blog.nfrontsecurity.com/html/wp-content/themes/headlines/functions/admin-hooks.php on line 160

Password Complexity vs Password Entropy

In the IT world, we always hear the term password complexity. We are told to have complex passwords that include upper and lower case letters, numbers, and special characters. This is beneficial information, but in reality, all complexity does is prevent easily guessed passwords such as: Password, Summer, and Baseball. Password complexity forces users to include different character sets. Password by itself is a very weak password. However, Password1! is a complex password due to the fact that it contains an upper case letter, lower case letters, a number, and a special character.

According to Deloitte, “Most people put a capital letter at the beginning, and if you use a symbol, you probably use an exclamation mark.” Now let’s reevaluate Password1!, it may be complex, but not smart if everyone is following the same character pattern.

Password1!

Password entropy is the measurement of how unpredictable a password is. The mathematical formula is based off of how many different character sets are used as well as the length of the password. The formula is CL. C represents the size of character sets, or how many different characters are present in that set. L represents the length of the password. This TechNet Blog has a table that represents it perfectly:

Entropy Spreadsheet

From this table, we can see that increasing password complexity is important. However, having longer length passwords significantly decreases your chance of being hacked. This Microsoft blogger’s most beneficial piece of advice is to have a password policy that defines longer length passwords and includes a very large dictionary of all easily guessed passwords.

Unfortunately, Windows does not offer the ability to check passwords against a dictionary and the Windows complexity rule is not nearly enough to ensure better password security.

 

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.