This is Part 2 of a 2-Part article. Please be sure to read Part 1 first:
At the end of Part 1, I posed the questions: How do you create a strong password? How do you measure password strength? How strong is strong enough? Please read on to discover how.
Create A Strong Password
You could use a random password generator, but it will produce a password like MYc^DHxWif*wjKq!EyHDSt3b which, while strong, is too complex to memorize and enter. The solution is to use a randomly generated passphrase. A passphrase is a password that uses a string of words. A passphrase is easier to type and remember than a password.
In Part 1, I gave an example of how human weakness results in lower password entropy. The same is true for phrases. Research shows that “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language.” In other words, human-chosen passphrases don’t contain that much entropy. Your brain uses common idioms, grammar rules, and thought patterns that reduce randomness and entropy.
Diceware is a method to create passphrases using dice. For each word in the passphrase, five dice rolls are required. The numbers that come up in the rolls are combined into a five-digit number, e.g. 43146. This number is then used to look up a word in a 7,776-word list such as the EFF long word list.
Online Passphrase Generators
Bitwarden’s passphrase generator uses this method with a 7,766-word list. Each word will give approximately 13 bits of entropy (1 * log2(7766) = 12.922 ).
1Password’s passphrase generator uses an 18,000-word list. Each word will give 14.135 bits of entropy.
The Passphrase-generator.com generator is based on a 51,924-word list (15.664 bits of entropy per word).
A four-word randomly generated passphrase is considered strong. Five or six words are even stronger. Once you have your passphrase as a base, you can optionally modify it to make it stronger, while keeping it easy to remember and quick to type.
hungrily shrine froth unopened
Add random numbers:
- hungrily shrine froth 54362 unopened
- hungrily shrine froth unopened54362
Add special characters:
- hungrily shrine froth unopened,.?$%
Capitalize letters. Avoid adding capitalization to the first letter of a word since this is a common pattern and does not add much entropy:
- hunGrily shriNe frOth unoPened
- hungrily SHRINE froth unopened
- huNGrily shrine froth unopenED
Add padding. Padding is one, two, or three characters repeated a few times to add 10-20 characters. By itself, it is a very weak technique, but adding to an already strong passphrase increases the length and is quick to type – significantly increasing entropy if a hacker is forced into a brute-force search.
- ………. hungrily shrine froth unopened
- hungrily shrine froth nmnmnmnmnmnm unopened
- hungrily shrine froth unopened a;’a;’a;’a;’a;’a;’
These modifications can be combined. For example, add numbers and special characters in your padding. As you develop your modifications, design them so that they can be entered quickly.
Estimate A Password’s Real Entropy
Many password strength calculators only measure the password based on its length and whether it contains elements from the character pools. In the example from Part 1, UK^aR2$b and P@ssw0rd both have the same entropy but P@ssw0rd would be cracked in milliseconds. To get around this, many companies, including Bitwarden and Dropbox, use the open-source zxcvbn, a password strength estimator inspired by password crackers. It estimates password strength through pattern matching, recognizing common passwords, common first and last names, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (
aaa), sequences (
abcd), keyboard patterns (
qwertyuiop), and l33t speak.
Many companies run zxcvbn and give a password strength.
Although good, these companies don’t provide a numeric entropy number. Since we do not know the criteria they use, they might consider a password strong that we do not. For example, based on my tests, Bitwarden considers a password strong at around 30 bits of entropy.
There is a test version of zxcvbn that does provide a score.
The total guesses_log10 value in the result can give an approximation of a password’s real entropy in bits by multiplying by 3. In the example above, 24.6004 would indicate a password entropy of approximately 74 bits (24.6004 x 3 = 73.8012). Note that the test site was written in 2016 and is not maintained. Hackers will use more recent dictionaries and better patterns than those loaded in the test version, so the entropy value may be a little high.
A password manager’s master password’s entropy for the average person should be above 60 bits. A high-target individual should have a password entropy above 70 bits, and a nation-state target (a politician, dissident, etc.) should have a password entropy above 80 bits.
|Bits of Entropy||Strength||Suitability|
|< 28 bits||Very Weak||Might keep out family members|
|28 – 35 bits||Weak||Should keep out most people, suitable for desktop login passwords|
|35 – 59 bits||Reasonable||Fairly secure password suitable for network and company passwords|
|60 – 127 bits||Strong||Suitable for a password manager’s Master Password|
|128+ bits||Very Strong||Probably overkill|
Learning a passphrase may seem difficult, but it is not. It may take a few days or a week of practice, but it is the only password you need to remember. Write your password down on a piece of paper, refer to it as necessary until you have memorized it, and then destroy or securely store the piece of paper.
My passphrase-based password has an entropy of around 80 bits and is easy to enter taking me less than 10 seconds. I have used the same password for over five years. It protects over 400 unique and secure passwords in my password manager. Let me know in the comments if you have any questions.
- Ultimate Guide To Create A Master Password – Part 1
- Ultimate Guide To Create A Master Password – Part 2 ⬅ You are here