How strong is your password? NIST has some formulas

Entropy is a measure of disorder within a system. It's what happens when you drop a glass of water on the floor, and a coherent system for containing liquid becomes a random assortment of shards in a puddle.

Physicists say the universe is moving inexorably toward entropy. Scientists at the National Institute of Standards and Technology's Computer Security Division can help you speed the process a little by adding entropy to your computer passwords.

In IT security, entropy refers to the degree of randomness of characters making up a password or personal identification number. It is used to determine the amount of effort needed to guess them.

The E-Authentication Initiative requires that there be no more than one chance in 1,024 that a password or PIN used for accessing a system at assurance Level 1 will be guessed over its lifetime. For assurance Level 2, the requirement is one chance in 16,384. These probabilities are figured using the entropy of a password, usually expressed in bits, and the policies governing password use on the system.

NIST Special Publication 800-63, Electronic Authentication Guideline, includes guides for estimating password strength (,

Entropy varies greatly depending on whether a password is selected by a user or is generated randomly. Statistically, guessing the first character of a password selected by a user is tough, but guessing the second is easier and the third is easier yet. The NIST guidelines give the first character 4 bits of entropy when using the 94 characters available on standard keyboards, but only 2 bits for each of the next seven characters, and so on.

Randomly selected passwords do not display patterns, so each character carries the same level of entropy, about 6.6 bits.

This means an eight-character password selected by a user has 18 bits of entropy, while a random password the same length has about 52.7 bits.

More entropy required

Additional bits of entropy can be added to user-selected passwords by adding rules to prohibit the use of easily identified passwords. NIST suggests giving people dictionaries of common words they shouldn't use. So-called composition rules would require users to use a combination of upper- and lowercase letters, as well as numbers and symbols.

The other key factor in meeting

E-Authentication strength requirements for Level 1 and 2 passwords is the life span of the password (how often it must be changed) and what restrictions are placed on failed log-in attempts. A system that blocks log-in for one minute following three failed attempts effectively limits an automated attack to three tries per minute, effectively extending the allowable life of a password.

A system also could block out a password and require that it be changed after the total number of failed attempts estimated by its level of entropy had been reached.

These numbers refer to 'guessing entropy,' which is a measure of the average amount of work required to guess the password of a single targeted user. Another type, 'min-entropy,' measures the difficulty of guessing the easiest single password in a group of users.

For details on the math and other variables involved in figuring password entropy, check out Appendix A of SP 800-63.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • How DHS hopes to harden tech against GPS spoofing (ShutterStock image)

    How DHS hopes to harden tech against GPS spoofing

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group