Good password policy isn’t random – or is it?

Forrester researcher Chenxi Wang recommends that organizations provide users with a password strength tool
Forrester researcher Chenxi Wang recommends that organizations provide users with a password strength tool

Establishing the right password policy requires an understanding of the organization’s risk profile as well as the fundamental information-theoretical concepts that determine the password strength, such as entropy, Wang argued in her paper 'Breaking Down Entropy and Passwords'.

The report examines the concept of entropy in the framework of the National Institute of Standards and Technology’s authentication levels. Information security professionals can adapt the fundamentals to their policy work to determine the appropriate password length and fail-retry limit for the risk they are facing, the report said.

“Encryption as an example is a way to add randomness to communication. So any string of characters has a certain amount of entropy to it. If you don’t know what the string intends to mean, then the higher the entropy is and the more difficult it is for you to guess the meaning”, Chang told Infosecurity.

“So for a certain password, you want the highest entropy possible to reduce the success rate of random guessing”, she said.

In the report, Wang gave the following example. A four-digit PIN, with each digit drawn completely randomly from zero to nine, has 10,000 possible values, which is around 213. This translates to 13 bits of entropy.

In contrast, a four-character alphanumeric password, with each character randomly drawn from the keyboard (allowing for upper- and lowercase letters as well as special characters), would have 944 possible values, which translates to 26 bits of entropy.

“This is why alphanumeric passwords are much more difficult to crack than PINs. Each bit increase in entropy signifies twice as much effort needed to crack the password”, the report explained.

Entropy can be increased by increasing the password length, using different types of characters, and shortening the password fail-retry limit. While increasing entropy is an effective strategy for increasing a password’s strength, it makes it harder for users to remember it.

“You want to tell the users to use longer password, and the password should include different kinds of characters, numbers and letters, to increase the entropy for random guessing. But that also increases the difficult of the user to remember it. There is certainly a tradeoff between how high the entropy is and how easy it is for a human to remember it”, she said.

Wang advised organizations to use a tool to help users improve the strength of their passwords. “There have been a number of studies that have found users are really bad at picking passwords. They always pick passwords that are easy to remember but have low entropy….You should help users pick better passwords by using some kind of tool. Users will input the password into the tool, and the tool will tell them how complex the password is to entice them to pick a password that is strong enough.”

What’s Hot on Infosecurity Magazine?