Random Passwords
Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set (e.g., the ASCII character set), syllables designed to form pronounceable passwords, or even words from a word list (thus forming a passphrase).
The strength of random passwords depends on the actual entropy of the underlying number generator; however, these are often not truly random, but pseudo random. Many publicly available password generators use random number generators found in programming libraries that offer limited entropy. However most modern operating systems offer cryptographically strong random number generators that are suitable for password generation. It is also possible to use ordinary dice to generate random passwords. See stronger methods. Random password programs often have the ability to ensure that the resulting password complies with a local password policy; for instance, by always producing a mix of letters, numbers and special characters.
For passwords generated by a process that randomly selects a string of symbols of length, L, from a set of N possible symbols, the number of possible passwords can be found by raising the number of symbols to the power L, i.e. NL. Increasing either L or N will strengthen the generated password. The strength of a random password as measured by the information entropy is just the base-2 logarithm or log2 of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy, H, is given by the formula
where N is the number of possible symbols and L is the number of symbols in the password. H is measured in bits. In the last expression, log can be to any base.
-
Entropy per symbol for different symbol sets Symbol set Symbol count N Entropy per symbol H Arabic numerals (0–9) (e.g. PIN) 10 3.322 bits hexadecimal numerals (0–9, A-F) (e.g. WEP keys) 16 4.000 bits Case insensitive Latin alphabet (a-z or A-Z) 26 4.700 bits Case insensitive alphanumeric (a-z or A-Z, 0–9) 36 5.170 bits Case sensitive Latin alphabet (a-z, A-Z) 52 5.700 bits Case sensitive alphanumeric (a-z, A-Z, 0–9) 62 5.954 bits All ASCII printable characters 95 6.570 bits All extended ASCII printable characters 218 7.768 bits Diceware word list 7776 12.925 bits
To find the length, L, needed to achieve a desired strength H, with a password drawn randomly for a set of N symbols, one computes
- , rounded up to the next largest whole number.
The following table uses this formula to show the required lengths of truly randomly generated passwords to achieve desired password entropies for common symbol sets:
Desired password entropy H | Arabic numerals | Hexadecimal | Case insensitive Latin alphabet | Case insensitive alphanumeric | Case sensitive Latin alphabet | Case sensitive alphanumeric | All ASCII printable characters | All extended ASCII printable characters | Diceware word list |
---|---|---|---|---|---|---|---|---|---|
32 bits | 10 | 8 | 7 | 7 | 6 | 6 | 5 | 5 | 3 |
40 bits | 13 | 10 | 9 | 8 | 8 | 7 | 7 | 6 | 4 |
64 bits | 20 | 16 | 14 | 13 | 12 | 11 | 10 | 9 | 5 |
80 bits | 25 | 20 | 18 | 16 | 15 | 14 | 13 | 11 | 7 |
96 bits | 29 | 24 | 21 | 19 | 17 | 17 | 15 | 13 | 8 |
128 bits | 39 | 32 | 28 | 25 | 23 | 22 | 20 | 17 | 10 |
160 bits | 49 | 40 | 35 | 31 | 29 | 27 | 25 | 21 | 13 |
192 bits | 58 | 48 | 41 | 38 | 34 | 33 | 30 | 25 | 15 |
224 bits | 68 | 56 | 48 | 44 | 40 | 38 | 35 | 29 | 18 |
256 bits | 78 | 64 | 55 | 50 | 45 | 43 | 39 | 33 | 20 |
384 bits | 116 | 96 | 82 | 75 | 68 | 65 | 59 | 50 | 30 |
512 bits | 155 | 128 | 109 | 100 | 90 | 86 | 78 | 66 | 40 |
1024 bits | 309 | 256 | 218 | 199 | 180 | 172 | 156 | 132 | 80 |
Read more about this topic: Password Strength, Password Guess Validation
Famous quotes containing the word random:
“Assemble, first, all casual bits and scraps
That may shake down into a world perhaps;
People this world, by chance created so,
With random persons whom you do not know”
—Robert Graves (18951985)