Knowledge

Password strength

Source 📝

1732:
departments (and other related government security bodies) of USA and UK. Password complexity rules of enforced symbols were previously used by major platforms such as Google and Facebook, but these have removed the requirement following the discovery that they actually reduced security. This is because the human element is a far greater risk than cracking, and enforced complexity leads most users to highly predictable patterns (number at the end, swap 3 for E, etc.) which helps crack passwords. So password simplicity and length (passphrases) are the new best practice and complexity is discouraged. Forced complexity rules also increase support costs, and user friction and discourage user signups.
1479:
security departments advise against forcing their inclusion in password policy. Complex symbols also make remembering passwords much harder, which increases writing down, password resets, and password reuse – all of which lower rather than improve password security. The original author of password complexity rules, Bill Burr, has apologized and admits they decrease security, as research has found; this was widely reported in the media in 2017. Online security researchers and consultants are also supportive of the change in best practice advice on passwords.
1903: 27: 182:, along with the hash. The salt is combined with the password when computing the hash, so an attacker precomputing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Many authentication systems in common use do not employ salts and rainbow tables are available on the Internet for several such systems. 1392: 1693:
gauged not just by its complexity but its length, with recommendations leaning towards passwords comprising at least 13-16 characters. This era has also seen the rise of Multi-Factor Authentication (MFA) as a crucial fortification measure. The advent and widespread adoption of password managers have further aided users in cultivating and maintaining an array of strong, unique passwords.
1289:
available on the real-world selection of passwords. Later research into human-selected password entropy using newly available real-world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords. The June 2017 revision of SP 800-63 (Revision three) drops this approach.
2173: 1790:, or share them with others as a safeguard against memory failure. While some people consider each of these user resorts to increase security risks, others suggest the absurdity of expecting users to remember distinct complex passwords for each of the dozens of accounts they access. For example, in 2005, security expert 1257:
upper and lower-case letters, numbers, and non-alphanumeric characters. Such a requirement is a pattern in password choice and can be expected to reduce an attacker's "work factor" (in Claude Shannon's terms). This is a reduction in password "strength". A better requirement would be to require a password
1842:
phrases and use them to generate more or less random passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Research estimates the password strength of such passwords to be about 3.7 bits per character, compared to
1653:
Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after
1482:
Some guidelines advise against writing passwords down, while others, noting the large numbers of password-protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, not attached to a monitor or in an unlocked desk drawer. Use
1256:
The full strength associated with using the entire ASCII character set (numerals, mixed case letters, and special characters) is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps
108:
Although random password generation programs are available nowadays which are meant to be easy to use, they usually generate random, hard-to-remember passwords, often resulting in people preferring to choose their own. However, this is inherently insecure because the person's lifestyle, entertainment
1508:
As with any security measure, passwords vary in strength; some are weaker than others. For example, the difference in strength between a dictionary word and a word with obfuscation (e.g. letters in the password are substituted by, say, numbers — a common approach) may cost a password-cracking device
245:
The strength of random passwords depends on the actual entropy of the underlying number generator; however, these are often not truly random, but pseudorandom. Many publicly available password generators use random number generators found in programming libraries that offer limited entropy. However,
173:
If a password system only stores the hash of the password, an attacker can pre-compute hash values for common password variants and all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can
125:
must have some way to check any password entered to gain access. If the valid passwords are simply stored in a system file or database, an attacker who gains sufficient access to the system will obtain all user passwords, giving the attacker access to all accounts on the attacked system and possibly
71:
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g. three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be
1963:
A reasonable compromise for using large numbers of passwords is to record them in a password manager program, which include stand-alone applications, web browser extensions, or a manager built into the operating system. A password manager allows the user to use hundreds of different passwords, and
1692:
In the context of 2023 hardware technology, the 2012 standard of an eight-character alpha-numeric password has become vulnerable, succumbing in a few hours. The time needed to crack a 13-character password is reduced to a few years. The current emphasis, thus, has shifted. Password strength is now
1688:
in an article for ACM magazine, password security predominantly emphasized an alpha-numeric password of eight characters or more. Such a password, it was deduced, could resist ten million attempts per second for a duration of 252 days. However, with the assistance of contemporary GPUs at the time,
1321:
As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk. In contrast,
1288:
Using this scheme, an eight-character human-selected password without uppercase characters and non-alphabetic characters OR with either but of the two character sets is estimated to have eighteen bits of entropy. The NIST publication concedes that at the time of development, little information was
92:
Passwords are created either automatically (using randomizing equipment) or by a human; the latter case is more common. While the strength of randomly chosen passwords against a brute-force attack can be calculated with precision, determining the strength of human-generated passwords is difficult.
153:
invented the usage of common graphic cards for quicker password recovery in August 2007 and soon filed a corresponding patent in the US. By 2011, commercial products were available that claimed the ability to test up to 112,000 passwords per second on a standard desktop computer, using a high-end
1342:
is not used, passwords with more entropy are needed. RFC 4086, "Randomness Requirements for Security", published June 2005, presents some example threat models and how to calculate the entropy desired for each one. Their answers vary between 29 bits of entropy needed if only online attacks are
79:
analyzed public databases of breached accounts to see which words, phrases, and strings people used. The most popular password on the list was 123456, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while the top five included
1798:
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their
1317:
Authentication programs can vary as to the list of allowable password characters. Some do not recognize case differences (e.g., the upper-case "E" is considered equivalent to the lower-case "e"), and others prohibit some of the other symbols. In the past few decades, systems have permitted more
1261:
to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). If patterned choices are required, humans are likely to use them in predictable ways, such as capitalizing a letter, adding one or two numbers, and a
1857:
on a US keyboard. The method to produce such passwords is called PsychoPass. Passwords produced by this method are much weaker than their length suggests, since successive keys are not independent and common keyboard sequences are included in password dictionaries. But some improvements can be
1785:
The hardest passwords to crack, for a given length and character set, are random character strings; if long enough they resist brute force attacks (because there are many characters) and guessing attacks (due to high entropy). However, such passwords are typically the hardest to remember. The
1731:
Previous password policies used to prescribe the characters which passwords must contain, such as numbers, symbols, or upper/lower case. While this is still in use, it has been debunked as less secure by university research, by the original instigator of this policy, and by the cyber security
1478:
Forcing the inclusion of lowercase letters, uppercase letters, numbers, and symbols in passwords was a common policy but has been found to decrease security, by making it easier to crack. Research has shown how predictable the common use of such symbols are, and the US and UK government cyber
96:
Typically, humans are asked to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or internet website. Only rough estimates of strength are possible since humans tend to follow patterns in such tasks, and those
1964:
only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere). Most password managers can automatically create strong passwords using a cryptographically secure
1347:
study based on unstretched keys recommended a 12-character random password but as a minimum length requirement. It pays to bear in mind that since computing power continually grows, to prevent offline attacks the required number of bits of entropy should also increase over time.
1810:
rewarding strong password users by reducing the rate, or eliminating, the need for password changes (password expiration). The strength of user-chosen passwords can be estimated by automatic programs which inspect and evaluate proposed passwords when setting or changing a
1817:
allowing users to reset their passwords via an automatic system, which reduces help desk call volume. However, some systems are themselves insecure; for instance, easily guessed or researched answers to password reset questions bypass the advantages of a strong password
1509:
a few more seconds; this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds.:
1735:
Password expiration was in some older password policies but has been debunked as best practice and is not supported by USA or UK governments, or Microsoft which removed the password expiry feature. Password expiration was previously trying to serve two purposes:
233:
Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set (e.g., the
154:
graphics processor for that time. Such a device will crack a six-letter single-case password in one day. The work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable GPUs. Special
219:. Thus, increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker's task twice as difficult. On average, an attacker will have to try half the possible number of passwords before finding the correct one. 97:
patterns can usually assist an attacker. In addition, lists of commonly chosen passwords are widely available for use by password-guessing programs. Such lists include the numerous online dictionaries for various human languages, breached databases of
1470:
Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relatives or pet names, romantic links (current or past), and biographical information (e.g. ID numbers, ancestors' names or
53:. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. 1297:
Because national keyboard implementations vary, not all 94 ASCII printable characters can be used everywhere. This can present a problem to an international traveler who wished to log into a remote system using a keyboard on a local computer
72:
effectively secured with relatively simple passwords. However, the system store information about the user's passwords in some form and if that information is stolen, say by breaching system security, the user's passwords can be at risk.
1675:
be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user. Online services often provide a restore password function that a hacker can figure out and by doing so bypass a password.
210:
of the number of guesses needed to find the password with certainty, which is commonly referred to as the "bits of entropy". A password with 42 bits of entropy would be as strong as a string of 42 bits chosen randomly, for example by a
1252:
Users rarely make full use of larger character sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.
1868:) are called Environ passwords. The pattern of alternating vowel and consonant characters was intended to make passwords more likely to be pronounceable and thus more memorable. Such patterns severely reduce the password's 1670:
There are many other ways a password can be weak, corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and
1343:
expected, and up to 96 bits of entropy needed for important cryptographic keys used in applications like encryption where the password or key needs to be secure for a long period and stretching isn't applicable. A 2010
3296: 734: 406: 134:(SHA) series, are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password. However, knowledge of the hash value lets the attacker quickly test guesses offline. 1450:
Guidelines for choosing good passwords are typically designed to make passwords harder to discover by intelligent guessing. Common guidelines advocated by proponents of software system security have included:
158:
hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not.
1241:
People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.
1369:
estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. Due to currently understood limitations from fundamental physics, there is no expectation that any
1689:
this period was truncated to just about 9 hours, given a cracking rate of 7 billion attempts per second. A 13-character password was estimated to withstand GPU-computed attempts for over 900,000 years.
1843:
the 6.6 bits for random passwords from ASCII printable characters. Silly ones are possibly more memorable. Another way to make random-appearing passwords more memorable is to use random words (see
105:
passwords from various online business and social accounts, along with other common passwords. All items in such lists are considered weak, as are passwords that are simple modifications of them.
2147: 1850:
after-the-fact mnemonics: After the password has been established, invent a mnemonic that fits. It does not have to be reasonable or sensible, only memorable. This allows passwords to be random.
3738:
Franchi, E., Poggi, A., & Tomaiuolo, M. (2015). Information and Password Attacks on Social Networks: An Argument for Cryptography. Journal of Information Technology Research, 8(1), 25–42.
3340: 1455:
Consider a minimum password length of 8 characters as a general guide. Both the US and UK cyber security departments recommend long and easily memorable passwords over short complex ones.
764: 2367: 1535:
Reused passwords: Passwords should be unique to a particular account. Altering reused passwords, such as changing a few letters or numbers, does not provide sufficient security.
3365: 2598: 1754:
If one has a truly strong password, there is little point in changing it. Changing passwords that are already strong introduces a risk that the new password may be less strong.
1853:
visual representations of passwords: a password is memorized based on a sequence of keys pressed, not the values of the keys themselves, e.g. a sequence !qAsdE#2 represents a
2829: 166:. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. For example, one commercial product claims to test 103,000 2171:, Andrey V. Belenko, "Use of graphics processors as parallel math co-processors for password recovery", issued 2011-04-19, assigned to Elcomsoft Co. Ltd. 1245:
Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. A
781:
The following table uses this formula to show the required lengths of truly randomly generated passwords to achieve desired password entropies for common symbol sets:
246:
most modern operating systems offer cryptographically strong random number generators that are suitable for password generation. It is also possible to use ordinary
3697: 1322:
others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to
2703: 3515: 2421: 3409: 38:. Enabling more character subsets raises the strength of generated passwords a small amount, whereas increasing their length raises the strength a large amount. 1740:
If the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.
3556: 3108: 3574: 3457: 2139: 1490:
The possible character set for a password can be constrained by different websites or by the range of keyboards on which the password must be entered.
3040: 1249:
would have had each character being used about 900,000 times. The most common number used is "1", whereas the most common letters are a, e, o, and r.
1864:
For example, passwords of the following case-insensitive form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example
1821:
using randomly generated passwords that do not allow users to choose their passwords, or at least offering randomly generated passwords as an option.
1772:
fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack. One gains
1467:
Avoid using information that is or might become publicly associated with the user or the account, such as the user name, ancestors' names, or dates.
301:
of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy,
2104: 1814:
displaying to each user the last login date and time in the hope that the user may notice unauthorized access, suggesting a compromised password.
76: 3018: 2746: 2514: 109:
preferences, and other key individualistic qualities usually come into play to influence the choice of password, while the prevalence of online
3755: 2473: 215:
toss. Put another way, a password with 42 bits of entropy would require 2 (4,398,046,511,104) attempts to exhaust all possibilities during a
2727: 1877: 681: 1807:
a training program. Also, updated training for those who fail to follow the password policy (lost passwords, inadequate passwords, etc.).
311: 3492: 1968:, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as 3251:"Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements" 3130: 3057: 2602: 2363: 2624: 1588:, etc., can be tested automatically with little additional effort. For example, a domain administrator password compromised in the 1285:
Special Publication 800-63 of June 2004 (revision two) suggested a scheme to approximate the entropy of human-generated passwords:
2313: 1666:
Short passwords: Even if a password doesn't have any of the weaknesses listed above, if it is too short, it can be easily cracked.
141:
Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. For example, in 2010, the
1650:
Weak passwords in non-English languages, such as contraseña (Spanish) and ji32k7au4a83 (bopomofo keyboard encoding from Chinese)
1262:
special character. This predictability means that the increase in password strength is minor when compared to random passwords.
131: 2813: 2346: 1861:
password patterns: Any pattern in a password makes guessing (automated or not) easier and reduces an attacker's work factor.
1301: 2677: 2024: 3072: 2765: 1786:
imposition of a requirement for such passwords in a password policy may encourage users to write them down, store them in
1402: 3166: 3087: 3689: 2699: 2784: 2414: 1924: 1799:
passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
1318:
characters in passwords, but limitations still exist. Systems also vary as to the maximum length of passwords allowed.
138:
programs are widely available that will test a large number of trial passwords against a purloined cryptographic hash.
3526: 253: 2299: 1950: 1724: 1503: 64:. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the 1932: 1743:
If a password has been compromised, requiring it to be changed regularly may limit the access time for the attacker.
3775: 3172: 1326:, most people are good at securing their wallets or purses, which is a "great place" to store a written password. 238:
character set), syllables designed to form pronounceable passwords or even words from a word list (thus forming a
2569: 2143: 1344: 1246: 741: 142: 3549: 2220: 2189: 3104: 1928: 469: 126:
other systems where users employ the same or similar passwords. One way to reduce this risk is to store only a
2450: 1776:
more security by just increasing the password length by one character than changing the password on every use.
273:
possible symbols, the number of possible passwords can be found by raising the number of symbols to the power
2140:"Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World's Password Security System" 1378:
will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.
3712:"The Emperor's New Password Manager: Security Analysis of Web-based Password Managers | EECS at UC Berkeley" 3465: 3032: 2046: 2873: 1474:
Do not use passwords that consist wholly of any simple combination of the aforementioned weak components.
1374:(or combination) will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not 767: 102: 3711: 3571: 3431: 2111: 1768:
Moving from never changing one's password to changing the password on every authenticate attempt (pass
31: 3732:
6 Types of Password Attacks & How to Stop Them | OneLogin. (n.d.). Retrieved April 24, 2024, from
2985: 2916: 2851: 2168: 1351:
The upper end is related to the stringent requirements of choosing keys used in encryption. In 1999,
65: 3250: 3079:, both as accessed January 19, 2010. That some websites don’t allow nonalphanumerics is indicated by 3010: 2743: 2506: 1996: 1965: 1270:
Google developed Interland teach the kid internet audience safety on internet. On the chapter called
228: 2480: 1913: 1464:
Avoid character repetition, keyboard patterns, dictionary words, and sequential letters or numbers.
1356: 487: 3275: 3226: 2941: 1803:
The following measures may increase acceptance of strong password requirements if carefully used:
2724: 1917: 1765:. Once this is accomplished, password changes won't prevent future attackers from accessing them. 1461:
Avoid using the same password twice (e.g. across multiple user accounts and/or software systems).
2241: 3318: 3053:
e.g. for a keyboard with only 17 nonalphanumeric characters, see one for a BlackBerry phone in
2894: 167: 2415:"Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords" 258:. Random password programs often can ensure that the resulting password complies with a local 3770: 3488: 1720:
impose a recommendation to change any password which has been lost or suspected of compromise
1632:
Numeric sequences based on well known numbers such as 911 , 314159... , 27182... , 112 , etc.
432: 289:
will strengthen the generated password. The strength of a random password as measured by the
2389: 130:
of each password instead of the password itself. Standard cryptographic hashes, such as the
3054: 2552: 1762: 1758: 1409: 876: 588: 559: 206:
necessary to hold the information in a password of a given type. A related measure is the
3523:
Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 17)
265:
For passwords generated by a process that randomly selects a string of symbols of length,
162:
Another situation where quick guessing is possible is when the password is used to form a
8: 2650: 2628: 1869: 290: 191: 1314:, require complex shift sequences or keyboard app swapping to enter special characters. 1274:
it is adviced to use unusual names paired with characters like (₺&@#%) with a game.
3666: 3639: 3615: 3588: 2802: 2305: 2276: 1873: 1831: 574: 262:; for instance, by always producing a mix of letters, numbers, and special characters. 216: 199: 179: 127: 68:(knowledge, ownership, inherence). The first factor is the main focus of this article. 60:
of a security breach, but strong passwords do not replace the need for other effective
50: 1876:
password attacks considerably more efficient. In the UK in October 2005, employees of
1413: 3671: 3620: 2809: 2342: 2295: 1981: 1499: 1375: 789:
of truly randomly generated passwords required to achieve a desired password entropy
163: 135: 61: 2309: 1757:
A compromised password is likely to be used immediately by an attacker to install a
1707:
A password policy is a guide to choosing satisfactory passwords. It is intended to:
3661: 3651: 3610: 3600: 3206: 2542: 2412: 2287: 1892: 1685: 1513: 1484: 1371: 827: 822: 533: 501: 294: 207: 3387: 1663:
Names of brands, celebrities, sports teams, musical groups, TV shows, movies, etc.
3560: 3091: 3076: 3061: 2788: 2769: 2750: 2731: 2224: 2193: 1702: 1516:(as supplied by the system vendor and meant to be changed at installation time): 1361: 1352: 1307: 810: 465: 259: 20: 2673: 2555: 2536: 2016: 1365:
cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011,
3491:. The Center for Education and Research in Information Assurance and Security. 3065: 2762: 2071: 1791: 1339: 1323: 852: 836: 775: 602: 504: 195: 175: 155: 122: 3161: 3080: 1751:
Asking users to change passwords frequently encourages simple, weak passwords.
3764: 1787: 655: 615: 3211: 3194: 2781: 2413:
Matt Weir; Susdhir Aggarwal; Michael Collins; Henry Stern (7 October 2010).
2291: 1717:
Provide recommendations for users concerning the handling of their passwords
3675: 3624: 3464:. CESG: the Information Security Arm of GCHQ. 15 April 2016. Archived from 2334: 2237: 2205: 1335: 1334:
The minimum number of bits of entropy needed for a password depends on the
859: 519: 110: 3739: 2876:. US Cybersecurity & Infrastructure Security Agency (CISA). 2019-11-18 1359:
encryption in less than a day using specially designed hardware. In 2002,
178:. This method of attack can be foiled by storing a random value, called a 26: 3410:"Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903" 2186: 1969: 1311: 817: 483: 2962: 1986: 1532:, etc. Lists of default passwords are widely available on the internet. 239: 3750: 3656: 3605: 3513: 2249:
Proceedings of 1994 IEEE International Symposium on Information Theory
1629:, etc. including diagonal or backward sequences (qazplm, ytrewq, etc). 2577: 2547: 2217: 2197: 1589: 212: 150: 98: 1902: 729:{\displaystyle L={\left\lceil {\frac {H}{\log _{2}N}}\right\rceil }} 2573: 1991: 1854: 1844: 1839: 1660:
Names of well-known locations: New York, Texas, China, London, etc.
843: 637: 401:{\displaystyle H=\log _{2}N^{L}=L\log _{2}N=L{\log N \over \log 2}} 46: 3587:
Cipresso, P; Gaggioli, A; Serino, S; Cipresso, S; Riva, G (2012).
3227:"The State of Password Security 2023 Report | Bitwarden Resources" 2443: 2284:
Proceedings of the 16th international conference on World Wide Web
1573:, etc., can be easily tested automatically with little lost time. 35: 2047:"Why User Names and Passwords Are Not Enough | SecurityWeek.Com" 1972:, clipboard logging and various other memory spying techniques. 3434:. League of Professional Systems Administrators. Archived from 81: 3586: 3105:"ComodoHacker responsible for DigiNotar Attack – Hacking News" 3025: 1292: 3640:"Security analysis and improvements to the PsychoPass method" 3553:(Indianapolis, Ind.: Bepko Learning Ctr., University College) 3276:"Bill Burr, Founder of Password complexity rules says SORRY!" 3131:"Here's Why 'ji32k7au4a83' Is A Surprisingly Common Password" 2942:"Password Rules - Founder of Password Complexity Says SORRY!" 2341:. Rockland, Massachusetts: Syngress Publishing. p. 181. 235: 146: 3435: 185: 3346:. Cyber Security, UK Government Communications Headquarters 2201: 1425: 1282: 658: 623: 247: 57: 3733: 1657:
Dates: dates follow a pattern and make your password weak.
1417: 2599:"EFF DES Cracker machine brings honesty to crypto debate" 2072:"Millions using 123456 as password, security study finds" 619: 424: 203: 113:
has made obtaining information about people much easier.
3756:
Password Patterns:The next generation dictionary attacks
3637: 3516:"A Large-scale Analysis of the Mnemonic Password Advice" 1714:
ensure the passwords are suited to the target population
1679: 1421: 661:
is usually expressed using two hexadecimal characters.
2963:"CyLab Usable Privacy and Security Laboratory (CUPS)" 2897:. USA National Institute for Standards and Technology 1727:
to block the use of weak or easily guessed passwords.
744: 684: 314: 3321:. USA National Institute of Standards and Technology 1558:, etc., including words in non-English dictionaries. 1277: 3638:Brumen, B; Heričko, M; Rozman, I; Hölbl, M (2013). 3577:
2010-01-21 at Wikiwix, as accessed January 19, 2010
3514:Johannes Kiesel; Benno Stein; Stefan Lucks (2017). 3458:"The problems with forcing regular password expiry" 2674:"Snakeoil: Warning Sign #5: Ridiculous key lengths" 2274: 2804:Hack Proofing Your Identity in the Information Age 2801: 2665: 2570:"Want to deter hackers? Make your password longer" 2498: 1847:) or syllables instead of randomly chosen letters. 1780: 1381: 758: 728: 400: 3011:"Write Down Your Password - Schneier on Security" 2355: 2167: 2105:"SP 800-63 – Electronic Authentication Guideline" 254:Random password generator § Stronger methods 3762: 3690:"zxcvbn: realistic password strength estimation" 3589:"How to Create Memorizable and Strong Passwords" 3068:BlackBerry Tour 9630 (Verizon) Cell Phone Review 3033:"What does the NCSC think of password managers?" 2275:Florencio, Dinei; Herley, Cormac (May 8, 2007). 1747:However, password expiration has its drawbacks: 190:Password strength is specified by the amount of 3005: 3003: 2218:Elcomsoft Wireless Security Auditor, HD5970 GPU 3751:RFC 4086: Randomness Requirements for Security 2936: 2934: 2643: 2591: 2361: 202:. It can be regarded as the minimum number of 1654:a simple investigation of a person's details. 1493: 672:with a password drawn randomly from a set of 441:Entropy per symbol for different symbol sets 3299:. UK Information Commissioner's Office (ICO) 3195:"ACM Digital Library - Rethinking Passwords" 3000: 2725:Strong passwords: How to create and use them 2277:"A large-scale study of web password habits" 2236: 1236: 116: 3486: 3128: 2931: 2917:"Password administration for system owners" 2700:"Quantum Computing and Encryption Breaking" 2617: 2444:"SP 800-63-3 – Digital Identity Guidelines" 1931:. Unsourced material may be challenged and 1880:were advised to use passwords in this form. 1684:In the landscape of 2012, as delineated by 1458:Generate passwords randomly where feasible. 1329: 1293:Usability and implementation considerations 759:{\displaystyle \left\lceil \ \right\rceil } 547:Case sensitive alphanumeric (a–z, A–Z, 0–9) 19:For organizational rules on passwords, see 2852:"Password Policy - Updating your approach" 2793: 2736: 2671: 2504: 2328: 2326: 419:is the number of symbols in the password. 56:Using strong passwords lowers the overall 3665: 3655: 3614: 3604: 3572:Remembering Passwords (ChangingMinds.org) 3210: 2546: 1951:Learn how and when to remove this message 1794:recommended writing down one's password: 1711:assist users in choosing strong passwords 1353:an Electronic Frontier Foundation project 186:Entropy as a measure of password strength 16:Resistance of a password to being guessed 2406: 2180: 25: 3740:https://doi.org/10.4018/JITR.2015010103 3192: 3159: 3070:, in Hardware Secrets (August 31, 2009) 2799: 2474:"Passwords are Near the Breaking Point" 2465: 2332: 2323: 2265:, 2e, page 233 ff. John Wiley and Sons. 1838:mnemonic passwords: Some users develop 1403:instructions, advice, or how-to content 45:is a measure of the effectiveness of a 3763: 3480: 2390:"Play Interland - Be Internet Awesome" 2161: 2134: 2132: 2099: 2097: 2095: 2093: 1617:Common sequences from a keyboard row: 415:is the number of possible symbols and 3424: 3162:"HTML version - Rethinking Passwords" 2774: 2562: 1680:Rethinking password change guidelines 668:needed to achieve a desired strength 2986:"Changes in Password Best Practices" 2538:Randomness Requirements for Security 2471: 2394:Play Interland - Be Internet Awesome 2362:Bruce Schneier (December 14, 2006). 2319:from the original on March 27, 2015. 1929:adding citations to reliable sources 1896: 1886: 1830:Password policies sometimes suggest 1825: 1445: 1385: 87: 3580: 3495:from the original on April 11, 2008 3450: 3432:"In Defense of Password Expiration" 3167:Association for Computing Machinery 2919:. UK National Cyber Security Centre 2874:"Choosing and Protecting Passwords" 2854:. UK National Cyber Security Centre 2680:from the original on April 18, 2008 2517:from the original on April 13, 2008 2453:from the original on August 6, 2017 2129: 2090: 2009: 1412:so that it is more encyclopedic or 603:extended ASCII printable characters 222: 13: 3525:. Internet Society. Archived from 2965:. Carnegie Mellon University (USA) 2830:"NIST PASSWORD GUIDELINES IN 2020" 2364:"MySpace Passwords aren't so Dumb" 1696: 1266:Password Safety Awareness Projects 14: 3787: 3744: 3107:. Thehackernews.com. 2011-09-06. 2983: 2627:. Distributed.net. Archived from 2424:from the original on July 6, 2012 2370:from the original on May 21, 2014 2027:from the original on July 7, 2009 2021:Choosing and Protecting Passwords 1834:to assist remembering passwords: 1504:List of the most common passwords 1306:. Many handheld devices, such as 1278:NIST Special Publication 800-63-2 3700:from the original on 2015-04-05. 3193:William, Cheswick (2012-12-31). 3160:William, Cheswick (2012-12-31). 3043:from the original on 2019-03-05. 3021:from the original on 2008-04-13. 1901: 1390: 774:rounding up to the next largest 149:to crack passwords much faster. 3704: 3682: 3631: 3565: 3555:, as accessed January 19, 2010 3543: 3507: 3402: 3380: 3358: 3333: 3311: 3289: 3268: 3243: 3219: 3186: 3175:from the original on 2019-11-03 3153: 3144: 3122: 3111:from the original on 2013-05-17 3097: 3094:, as accessed January 20, 2010. 3047: 2977: 2955: 2909: 2887: 2866: 2844: 2822: 2755: 2717: 2706:from the original on 2013-05-21 2692: 2529: 2436: 2382: 2268: 2255: 2200:Password Recovery Speed table, 2150:from the original on 2010-12-30 2144:Georgia Tech Research Institute 1781:Creating and handling passwords 1576:Words with simple obfuscation: 1382:Guidelines for strong passwords 1345:Georgia Tech Research Institute 1338:for the given application. If 143:Georgia Tech Research Institute 121:Systems that use passwords for 3489:"Security Myths and Passwords" 3297:"Passwords in online services" 2702:. Stack Overflow. 2011-05-27. 2230: 2211: 2208:S1070 GPU, accessed 2011-02-01 2064: 2039: 75:In 2019, the United Kingdom's 1: 3319:"Digital Identity Guidelines" 3083:Idiots, For Different Reasons 2895:"Digital Identity Guidelines" 2832:. Stealthbits. 18 August 2020 2017:"Cyber Security Tip ST04-002" 2002: 1561:Words with numbers appended: 575:Latin-1 Supplement characters 250:to generate random passwords 3256:. Carnegie Mellon University 3129:Dave Basner (8 March 2019). 3085:(June 30, 2009) (topic post) 2576:. 2010-08-19. Archived from 1487:is recommended by the NCSC. 1300:(see article concerned with 174:be efficiently stored using 145:developed a method of using 84:", "password", and 1111111. 7: 2651:"72-bit key project status" 2625:"64-bit key project status" 1975: 1299: 793:for symbol sets containing 305:, is given by the formula: 251: 198:(Sh) and is a concept from 10: 3792: 3366:"Create a Strong Password" 2763:How safe is your password? 1890: 1700: 1497: 1494:Examples of weak passwords 636: 614: 600: 589:ASCII printable characters 586: 572: 560:ASCII printable characters 557: 546: 532: 517: 500: 486:numerals (0–9, A–F) (e.g. 482: 464: 427:. In the last expression, 226: 170:PSK passwords per second. 32:random password generation 18: 3388:"Login and Password Help" 2744:Choosing Secure Passwords 2479:. Gartner. Archived from 1997:Vulnerability (computing) 1966:random password generator 1237:Human-generated passwords 875: 842: 826: 821: 816: 809: 801: 766:denotes the mathematical 536:Latin alphabet (a–z, A–Z) 229:Random password generator 117:Password guess validation 3412:. Microsoft. 23 May 2019 2782:Choosing a Good Password 2780:University of Maryland, 2511:Write Down Your Password 2023:. US CERT. 21 May 2009. 1330:Required bits of entropy 3776:Password authentication 3734:https://www.google.com/ 3212:10.1145/2405116.2422416 2808:. Syngress Publishing. 2723:Microsoft Corporation, 2292:10.1145/1242572.1242661 676:symbols, one computes: 194:, which is measured in 3716:www2.eecs.berkeley.edu 3559:June 10, 2010, at the 3090:April 6, 2011, at the 3075:April 6, 2011, at the 2988:. Schneier on Security 2800:Bidwell, Teri (2002). 2507:"Schneier on Security" 2333:Burnett, Mark (2006). 2242:"Guessing and entropy" 2110:. NIST. Archived from 1878:the British government 1801: 1647:, one's username, etc. 1592:attack was reportedly 760: 730: 402: 66:authentication factors 39: 2631:on September 10, 2013 2601:. EFF. Archived from 2169:US patent 7929707 1796: 761: 731: 646:12.925 bits per word 403: 132:Secure Hash Algorithm 29: 2263:Applied Cryptography 2251:. IEEE. p. 204. 2051:www.securityweek.com 1925:improve this section 1763:privilege escalation 1247:uniform distribution 877:printable characters 742: 682: 664:To find the length, 312: 281:. Increasing either 49:against guessing or 30:Options menu of the 3438:on October 12, 2008 3341:"Password guidance" 2449:. NIST. June 2017. 2227:accessed 2011-02-11 1870:information entropy 1410:rewrite the content 1203:256 bits (32 bytes) 1171:224 bits (28 bytes) 1139:192 bits (24 bytes) 1107:160 bits (20 bytes) 1075:128 bits (16 bytes) 798: 442: 291:information entropy 192:information entropy 51:brute-force attacks 3644:J Med Internet Res 3593:J Med Internet Res 3060:2011-04-06 at the 2787:2014-06-14 at the 2768:2008-02-22 at the 2749:2008-02-23 at the 2730:2008-01-01 at the 2605:on January 1, 2010 2366:. Wired Magazine. 2223:2011-02-19 at the 2192:2006-10-17 at the 1725:password blacklist 1538:Dictionary words: 1043:96 bits (12 bytes) 1011:80 bits (10 bytes) 784: 756: 726: 456:Entropy per symbol 440: 398: 217:brute force search 200:information theory 180:cryptographic salt 128:cryptographic hash 40: 3694:Dropbox Tech Blog 3657:10.2196/jmir.2366 3606:10.2196/jmir.1906 3487:Eugene Spafford. 3468:on 17 August 2016 3055:an enlarged image 2984:Bruce, Schneier. 2815:978-1-931836-51-7 2653:. Distributed.net 2486:on April 27, 2006 2348:978-1-59749-041-2 2339:Perfect Passwords 2053:. 31 January 2019 1982:Keystroke logging 1961: 1960: 1953: 1887:Password managers 1832:memory techniques 1826:Memory techniques 1514:Default passwords 1500:Password cracking 1446:Common guidelines 1443: 1442: 1376:quantum computers 1234: 1233: 979:64 bits (8 bytes) 947:40 bits (5 bytes) 915:32 bits (4 bytes) 751: 719: 650: 649: 522:(a–z or A–Z, 0–9) 518:Case insensitive 396: 164:cryptographic key 136:Password cracking 88:Password creation 62:security controls 43:Password strength 3783: 3726: 3725: 3723: 3722: 3708: 3702: 3701: 3686: 3680: 3679: 3669: 3659: 3635: 3629: 3628: 3618: 3608: 3584: 3578: 3569: 3563: 3551:Mnemonic Devices 3547: 3541: 3540: 3538: 3537: 3531: 3520: 3511: 3505: 3504: 3502: 3500: 3484: 3478: 3477: 3475: 3473: 3454: 3448: 3447: 3445: 3443: 3428: 3422: 3421: 3419: 3417: 3406: 3400: 3399: 3397: 3395: 3384: 3378: 3377: 3375: 3373: 3362: 3356: 3355: 3353: 3351: 3345: 3337: 3331: 3330: 3328: 3326: 3315: 3309: 3308: 3306: 3304: 3293: 3287: 3286: 3284: 3282: 3272: 3266: 3265: 3263: 3261: 3255: 3247: 3241: 3240: 3238: 3237: 3223: 3217: 3216: 3214: 3190: 3184: 3183: 3181: 3180: 3157: 3151: 3148: 3142: 3141: 3139: 3137: 3126: 3120: 3119: 3117: 3116: 3101: 3095: 3051: 3045: 3044: 3029: 3023: 3022: 3015:www.schneier.com 3007: 2998: 2997: 2995: 2993: 2981: 2975: 2974: 2972: 2970: 2959: 2953: 2952: 2950: 2948: 2938: 2929: 2928: 2926: 2924: 2913: 2907: 2906: 2904: 2902: 2891: 2885: 2884: 2882: 2881: 2870: 2864: 2863: 2861: 2859: 2848: 2842: 2841: 2839: 2837: 2826: 2820: 2819: 2807: 2797: 2791: 2778: 2772: 2759: 2753: 2742:Bruce Schneier, 2740: 2734: 2721: 2715: 2714: 2712: 2711: 2696: 2690: 2689: 2687: 2685: 2672:Bruce Schneier. 2669: 2663: 2662: 2660: 2658: 2647: 2641: 2640: 2638: 2636: 2621: 2615: 2614: 2612: 2610: 2595: 2589: 2588: 2586: 2585: 2580:on July 11, 2013 2566: 2560: 2559: 2550: 2548:10.17487/RFC4086 2533: 2527: 2526: 2524: 2522: 2505:Bruce Schneier. 2502: 2496: 2495: 2493: 2491: 2485: 2478: 2469: 2463: 2462: 2460: 2458: 2448: 2440: 2434: 2433: 2431: 2429: 2419: 2410: 2404: 2403: 2401: 2400: 2386: 2380: 2379: 2377: 2375: 2359: 2353: 2352: 2330: 2321: 2320: 2318: 2281: 2272: 2266: 2259: 2253: 2252: 2246: 2234: 2228: 2215: 2209: 2184: 2178: 2177: 2176: 2172: 2165: 2159: 2158: 2156: 2155: 2136: 2127: 2126: 2124: 2122: 2117:on July 12, 2004 2116: 2109: 2101: 2088: 2087: 2085: 2083: 2068: 2062: 2061: 2059: 2058: 2043: 2037: 2036: 2034: 2032: 2013: 1956: 1949: 1945: 1942: 1936: 1905: 1897: 1893:Password manager 1686:William Cheswick 1485:password manager 1438: 1435: 1429: 1394: 1393: 1386: 1372:digital computer 1308:tablet computers 1305: 1302:keyboard layouts 1272:Tower Of Tresure 823:Case insensitive 802:Desired password 799: 783: 768:ceiling function 765: 763: 762: 757: 755: 749: 735: 733: 732: 727: 725: 724: 720: 718: 711: 710: 697: 502:Case insensitive 443: 439: 407: 405: 404: 399: 397: 395: 384: 373: 359: 358: 343: 342: 330: 329: 295:base-2 logarithm 269:, from a set of 257: 223:Random passwords 208:base-2 logarithm 3791: 3790: 3786: 3785: 3784: 3782: 3781: 3780: 3761: 3760: 3747: 3730: 3729: 3720: 3718: 3710: 3709: 3705: 3688: 3687: 3683: 3636: 3632: 3585: 3581: 3570: 3566: 3561:Wayback Machine 3548: 3544: 3535: 3533: 3529: 3518: 3512: 3508: 3498: 3496: 3485: 3481: 3471: 3469: 3456: 3455: 3451: 3441: 3439: 3430: 3429: 3425: 3415: 3413: 3408: 3407: 3403: 3393: 3391: 3386: 3385: 3381: 3371: 3369: 3364: 3363: 3359: 3349: 3347: 3343: 3339: 3338: 3334: 3324: 3322: 3317: 3316: 3312: 3302: 3300: 3295: 3294: 3290: 3280: 3278: 3274: 3273: 3269: 3259: 3257: 3253: 3249: 3248: 3244: 3235: 3233: 3225: 3224: 3220: 3191: 3187: 3178: 3176: 3158: 3154: 3149: 3145: 3135: 3133: 3127: 3123: 3114: 3112: 3103: 3102: 3098: 3092:Wayback Machine 3077:Wayback Machine 3062:Wayback Machine 3052: 3048: 3037:www.ncsc.gov.uk 3031: 3030: 3026: 3009: 3008: 3001: 2991: 2989: 2982: 2978: 2968: 2966: 2961: 2960: 2956: 2946: 2944: 2940: 2939: 2932: 2922: 2920: 2915: 2914: 2910: 2900: 2898: 2893: 2892: 2888: 2879: 2877: 2872: 2871: 2867: 2857: 2855: 2850: 2849: 2845: 2835: 2833: 2828: 2827: 2823: 2816: 2798: 2794: 2789:Wayback Machine 2779: 2775: 2770:Wayback Machine 2760: 2756: 2751:Wayback Machine 2741: 2737: 2732:Wayback Machine 2722: 2718: 2709: 2707: 2698: 2697: 2693: 2683: 2681: 2670: 2666: 2656: 2654: 2649: 2648: 2644: 2634: 2632: 2623: 2622: 2618: 2608: 2606: 2597: 2596: 2592: 2583: 2581: 2568: 2567: 2563: 2535: 2534: 2530: 2520: 2518: 2503: 2499: 2489: 2487: 2483: 2476: 2470: 2466: 2456: 2454: 2446: 2442: 2441: 2437: 2427: 2425: 2417: 2411: 2407: 2398: 2396: 2388: 2387: 2383: 2373: 2371: 2360: 2356: 2349: 2331: 2324: 2316: 2302: 2286:. p. 657. 2279: 2273: 2269: 2260: 2256: 2244: 2235: 2231: 2225:Wayback Machine 2216: 2212: 2194:Wayback Machine 2185: 2181: 2174: 2166: 2162: 2153: 2151: 2138: 2137: 2130: 2120: 2118: 2114: 2107: 2103: 2102: 2091: 2081: 2079: 2078:. 21 April 2019 2070: 2069: 2065: 2056: 2054: 2045: 2044: 2040: 2030: 2028: 2015: 2014: 2010: 2005: 1978: 1957: 1946: 1940: 1937: 1922: 1906: 1895: 1889: 1828: 1783: 1705: 1703:Password policy 1699: 1697:Password policy 1682: 1598:Doubled words: 1556:IntenseCrabtree 1506: 1496: 1448: 1439: 1433: 1430: 1407: 1395: 1391: 1384: 1367:distributed.net 1362:distributed.net 1332: 1295: 1280: 1239: 883:8 bits (1 byte) 872: 867: 861: 854: 846: 838: 812: 803: 745: 743: 740: 739: 706: 702: 701: 696: 692: 691: 683: 680: 679: 466:Arabic numerals 457: 450: 423:is measured in 409: 385: 374: 372: 354: 350: 338: 334: 325: 321: 313: 310: 309: 300: 260:password policy 231: 225: 188: 119: 90: 24: 21:Password policy 17: 12: 11: 5: 3789: 3779: 3778: 3773: 3759: 3758: 3753: 3746: 3745:External links 3743: 3728: 3727: 3703: 3681: 3630: 3579: 3564: 3542: 3506: 3479: 3449: 3423: 3401: 3390:. FaceBook Inc 3379: 3357: 3332: 3310: 3288: 3267: 3242: 3218: 3185: 3152: 3150:Bidwell, p. 87 3143: 3121: 3096: 3066:Sandy Berger, 3064:in support of 3046: 3024: 2999: 2976: 2954: 2930: 2908: 2886: 2865: 2843: 2821: 2814: 2792: 2773: 2761:Google, Inc., 2754: 2735: 2716: 2691: 2664: 2642: 2616: 2590: 2561: 2528: 2497: 2464: 2435: 2405: 2381: 2354: 2347: 2322: 2300: 2267: 2254: 2229: 2210: 2179: 2160: 2128: 2089: 2063: 2038: 2007: 2006: 2004: 2001: 2000: 1999: 1994: 1989: 1984: 1977: 1974: 1959: 1958: 1909: 1907: 1900: 1891:Main article: 1888: 1885: 1884: 1883: 1882: 1881: 1859: 1851: 1848: 1827: 1824: 1823: 1822: 1819: 1815: 1812: 1808: 1792:Bruce Schneier 1788:mobile devices 1782: 1779: 1778: 1777: 1766: 1755: 1752: 1745: 1744: 1741: 1729: 1728: 1721: 1718: 1715: 1712: 1701:Main article: 1698: 1695: 1681: 1678: 1668: 1667: 1664: 1661: 1658: 1655: 1651: 1648: 1633: 1630: 1615: 1596: 1574: 1559: 1536: 1533: 1495: 1492: 1476: 1475: 1472: 1468: 1465: 1462: 1459: 1456: 1447: 1444: 1441: 1440: 1398: 1396: 1389: 1383: 1380: 1340:key stretching 1331: 1328: 1324:Bruce Schneier 1294: 1291: 1279: 1276: 1238: 1235: 1232: 1231: 1228: 1225: 1222: 1219: 1216: 1213: 1210: 1207: 1204: 1200: 1199: 1196: 1193: 1190: 1187: 1184: 1181: 1178: 1175: 1172: 1168: 1167: 1164: 1161: 1158: 1155: 1152: 1149: 1146: 1143: 1140: 1136: 1135: 1132: 1129: 1126: 1123: 1120: 1117: 1114: 1111: 1108: 1104: 1103: 1100: 1097: 1094: 1091: 1088: 1085: 1082: 1079: 1076: 1072: 1071: 1068: 1065: 1062: 1059: 1056: 1053: 1050: 1047: 1044: 1040: 1039: 1036: 1033: 1030: 1027: 1024: 1021: 1018: 1015: 1012: 1008: 1007: 1004: 1001: 998: 995: 992: 989: 986: 983: 980: 976: 975: 972: 969: 966: 963: 960: 957: 954: 951: 948: 944: 943: 940: 937: 934: 931: 928: 925: 922: 919: 916: 912: 911: 908: 905: 902: 899: 896: 893: 890: 887: 884: 880: 879: 874: 869: 864: 857: 849: 848: 841: 833: 830: 828:Case sensitive 825: 820: 815: 808: 754: 748: 723: 717: 714: 709: 705: 700: 695: 690: 687: 652: 651: 648: 647: 644: 641: 634: 633: 630: 627: 612: 611: 608: 605: 598: 597: 594: 591: 584: 583: 580: 577: 570: 569: 566: 563: 555: 554: 551: 548: 544: 543: 540: 537: 534:Case sensitive 530: 529: 526: 523: 515: 514: 511: 508: 505:Latin alphabet 498: 497: 494: 491: 480: 479: 476: 473: 462: 461: 454: 447: 431:can be to any 394: 391: 388: 383: 380: 377: 371: 368: 365: 362: 357: 353: 349: 346: 341: 337: 333: 328: 324: 320: 317: 307: 298: 227:Main article: 224: 221: 187: 184: 176:rainbow tables 156:key stretching 123:authentication 118: 115: 89: 86: 15: 9: 6: 4: 3: 2: 3788: 3777: 3774: 3772: 3769: 3768: 3766: 3757: 3754: 3752: 3749: 3748: 3742: 3741: 3736: 3735: 3717: 3713: 3707: 3699: 3695: 3691: 3685: 3677: 3673: 3668: 3663: 3658: 3653: 3649: 3645: 3641: 3634: 3626: 3622: 3617: 3612: 3607: 3602: 3598: 3594: 3590: 3583: 3576: 3573: 3568: 3562: 3558: 3554: 3552: 3546: 3532:on 2017-03-30 3528: 3524: 3517: 3510: 3494: 3490: 3483: 3467: 3463: 3459: 3453: 3437: 3433: 3427: 3411: 3405: 3389: 3383: 3367: 3361: 3342: 3336: 3320: 3314: 3298: 3292: 3277: 3271: 3252: 3246: 3232: 3228: 3222: 3213: 3208: 3205:(12): 50–56. 3204: 3200: 3196: 3189: 3174: 3170: 3168: 3163: 3156: 3147: 3132: 3125: 3110: 3106: 3100: 3093: 3089: 3086: 3084: 3078: 3074: 3071: 3069: 3063: 3059: 3056: 3050: 3042: 3038: 3034: 3028: 3020: 3016: 3012: 3006: 3004: 2987: 2980: 2964: 2958: 2943: 2937: 2935: 2918: 2912: 2896: 2890: 2875: 2869: 2853: 2847: 2831: 2825: 2817: 2811: 2806: 2805: 2796: 2790: 2786: 2783: 2777: 2771: 2767: 2764: 2758: 2752: 2748: 2745: 2739: 2733: 2729: 2726: 2720: 2705: 2701: 2695: 2679: 2675: 2668: 2652: 2646: 2630: 2626: 2620: 2604: 2600: 2594: 2579: 2575: 2571: 2565: 2557: 2554: 2549: 2544: 2540: 2539: 2532: 2516: 2512: 2508: 2501: 2482: 2475: 2468: 2452: 2445: 2439: 2423: 2416: 2409: 2395: 2391: 2385: 2369: 2365: 2358: 2350: 2344: 2340: 2336: 2335:Kleiman, Dave 2329: 2327: 2315: 2311: 2307: 2303: 2301:9781595936547 2297: 2293: 2289: 2285: 2278: 2271: 2264: 2261:Schneier, B: 2258: 2250: 2243: 2239: 2233: 2226: 2222: 2219: 2214: 2207: 2203: 2199: 2195: 2191: 2188: 2187:Elcomsoft.com 2183: 2170: 2164: 2149: 2145: 2141: 2135: 2133: 2113: 2106: 2100: 2098: 2096: 2094: 2077: 2073: 2067: 2052: 2048: 2042: 2026: 2022: 2018: 2012: 2008: 1998: 1995: 1993: 1990: 1988: 1985: 1983: 1980: 1979: 1973: 1971: 1967: 1955: 1952: 1944: 1934: 1930: 1926: 1920: 1919: 1915: 1910:This section 1908: 1904: 1899: 1898: 1894: 1879: 1875: 1871: 1867: 1863: 1862: 1860: 1856: 1852: 1849: 1846: 1841: 1837: 1836: 1835: 1833: 1820: 1816: 1813: 1809: 1806: 1805: 1804: 1800: 1795: 1793: 1789: 1775: 1771: 1767: 1764: 1760: 1756: 1753: 1750: 1749: 1748: 1742: 1739: 1738: 1737: 1733: 1726: 1722: 1719: 1716: 1713: 1710: 1709: 1708: 1704: 1694: 1690: 1687: 1677: 1674: 1665: 1662: 1659: 1656: 1652: 1649: 1646: 1642: 1638: 1635:Identifiers: 1634: 1631: 1628: 1624: 1620: 1616: 1613: 1609: 1605: 1601: 1597: 1595: 1591: 1587: 1583: 1579: 1575: 1572: 1568: 1564: 1560: 1557: 1553: 1549: 1545: 1541: 1537: 1534: 1531: 1527: 1523: 1519: 1515: 1512: 1511: 1510: 1505: 1501: 1491: 1488: 1486: 1480: 1473: 1469: 1466: 1463: 1460: 1457: 1454: 1453: 1452: 1437: 1427: 1423: 1419: 1415: 1411: 1405: 1404: 1399:This article 1397: 1388: 1387: 1379: 1377: 1373: 1368: 1364: 1363: 1358: 1355:broke 56-bit 1354: 1349: 1346: 1341: 1337: 1327: 1325: 1319: 1315: 1313: 1309: 1303: 1290: 1286: 1284: 1275: 1273: 1268: 1267: 1263: 1260: 1254: 1250: 1248: 1243: 1229: 1226: 1223: 1220: 1217: 1214: 1211: 1208: 1205: 1202: 1201: 1197: 1194: 1191: 1188: 1185: 1182: 1179: 1176: 1173: 1170: 1169: 1165: 1162: 1159: 1156: 1153: 1150: 1147: 1144: 1141: 1138: 1137: 1133: 1130: 1127: 1124: 1121: 1118: 1115: 1112: 1109: 1106: 1105: 1101: 1098: 1095: 1092: 1089: 1086: 1083: 1080: 1077: 1074: 1073: 1069: 1066: 1063: 1060: 1057: 1054: 1051: 1048: 1045: 1042: 1041: 1037: 1034: 1031: 1028: 1025: 1022: 1019: 1016: 1013: 1010: 1009: 1005: 1002: 999: 996: 993: 990: 987: 984: 981: 978: 977: 973: 970: 967: 964: 961: 958: 955: 952: 949: 946: 945: 941: 938: 935: 932: 929: 926: 923: 920: 917: 914: 913: 909: 906: 903: 900: 897: 894: 891: 888: 885: 882: 881: 878: 870: 865: 863: 858: 856: 851: 850: 845: 840: 834: 831: 829: 824: 819: 814: 807: 800: 796: 792: 788: 782: 779: 777: 773: 769: 752: 746: 736: 721: 715: 712: 707: 703: 698: 693: 688: 685: 677: 675: 671: 667: 662: 660: 657: 645: 642: 639: 635: 631: 628: 625: 621: 617: 613: 609: 606: 604: 599: 595: 592: 590: 585: 581: 578: 576: 571: 567: 564: 561: 556: 552: 549: 545: 541: 538: 535: 531: 527: 524: 521: 516: 512: 509: 506: 503: 499: 495: 492: 489: 485: 481: 477: 474: 471: 467: 463: 460: 455: 453: 448: 445: 444: 438: 437: 436: 434: 430: 426: 422: 418: 414: 408: 392: 389: 386: 381: 378: 375: 369: 366: 363: 360: 355: 351: 347: 344: 339: 335: 331: 326: 322: 318: 315: 306: 304: 296: 292: 288: 284: 280: 276: 272: 268: 263: 261: 255: 249: 243: 241: 237: 230: 220: 218: 214: 209: 205: 201: 197: 193: 183: 181: 177: 171: 169: 165: 160: 157: 152: 148: 144: 139: 137: 133: 129: 124: 114: 112: 106: 104: 100: 94: 85: 83: 78: 73: 69: 67: 63: 59: 54: 52: 48: 44: 37: 33: 28: 22: 3771:Cryptography 3737: 3731: 3719:. Retrieved 3715: 3706: 3693: 3684: 3647: 3643: 3633: 3596: 3592: 3582: 3567: 3550: 3545: 3534:. Retrieved 3527:the original 3522: 3509: 3497:. Retrieved 3482: 3470:. Retrieved 3466:the original 3461: 3452: 3440:. Retrieved 3436:the original 3426: 3414:. Retrieved 3404: 3392:. Retrieved 3382: 3370:. Retrieved 3368:. Google Inc 3360: 3348:. Retrieved 3335: 3323:. Retrieved 3313: 3301:. Retrieved 3291: 3279:. Retrieved 3270: 3258:. Retrieved 3245: 3234:. Retrieved 3230: 3221: 3202: 3198: 3188: 3177:. Retrieved 3165: 3155: 3146: 3134:. Retrieved 3124: 3113:. Retrieved 3099: 3082: 3067: 3049: 3036: 3027: 3014: 2990:. Retrieved 2979: 2967:. Retrieved 2957: 2945:. Retrieved 2921:. Retrieved 2911: 2899:. Retrieved 2889: 2878:. Retrieved 2868: 2856:. Retrieved 2846: 2834:. Retrieved 2824: 2803: 2795: 2776: 2757: 2738: 2719: 2708:. Retrieved 2694: 2682:. Retrieved 2667: 2655:. Retrieved 2645: 2633:. Retrieved 2629:the original 2619: 2607:. Retrieved 2603:the original 2593: 2582:. Retrieved 2578:the original 2564: 2537: 2531: 2519:. Retrieved 2510: 2500: 2488:. Retrieved 2481:the original 2467: 2455:. Retrieved 2438: 2426:. Retrieved 2408: 2397:. Retrieved 2393: 2384: 2372:. Retrieved 2357: 2338: 2283: 2270: 2262: 2257: 2248: 2238:James Massey 2232: 2213: 2206:Nvidia Tesla 2182: 2163: 2152:. Retrieved 2119:. Retrieved 2112:the original 2080:. Retrieved 2075: 2066: 2055:. Retrieved 2050: 2041: 2029:. Retrieved 2020: 2011: 1962: 1947: 1938: 1923:Please help 1911: 1865: 1829: 1802: 1797: 1784: 1773: 1769: 1761:, often via 1746: 1734: 1730: 1706: 1691: 1683: 1672: 1669: 1644: 1640: 1636: 1626: 1622: 1618: 1611: 1607: 1603: 1599: 1593: 1585: 1581: 1577: 1570: 1566: 1562: 1555: 1551: 1547: 1543: 1539: 1529: 1525: 1521: 1517: 1507: 1489: 1481: 1477: 1449: 1434:January 2022 1431: 1408:Please help 1400: 1366: 1360: 1350: 1336:threat model 1333: 1320: 1316: 1312:smart phones 1296: 1287: 1281: 1271: 1269: 1265: 1264: 1258: 1255: 1251: 1244: 1240: 805: 794: 790: 786: 780: 776:whole number 771: 737: 678: 673: 669: 665: 663: 653: 618:(0–255 or 8 562:except space 520:alphanumeric 507:(a–z or A–Z) 468:(0–9) (e.g. 458: 451: 449:Symbol count 428: 420: 416: 412: 410: 308: 302: 293:is just the 286: 282: 278: 274: 270: 266: 264: 244: 232: 189: 172: 161: 140: 120: 111:social media 107: 95: 91: 74: 70: 55: 42: 41: 3650:(8): e161. 2657:October 12, 2204:passwords, 1970:key logging 1941:August 2023 1874:brute force 1418:Wikiversity 818:Hexadecimal 632:8.000 bits 610:7.768 bits 596:6.570 bits 582:6.555 bits 568:6.555 bits 553:5.954 bits 542:5.700 bits 528:5.170 bits 513:4.700 bits 496:4.000 bits 484:Hexadecimal 478:3.322 bits 3765:Categories 3721:2023-10-01 3599:(1): e10. 3536:2017-03-30 3462:IA Matters 3236:2023-09-24 3179:2019-11-03 3115:2013-03-17 2880:2023-10-10 2710:2013-03-17 2584:2010-11-07 2472:A. Allan. 2399:2024-09-10 2154:2010-11-07 2057:2020-10-31 2003:References 1987:Passphrase 1594:Pr0d@dm1n. 1498:See also: 1426:Wikivoyage 847:word list 446:Symbol set 240:passphrase 3499:April 14, 3442:April 14, 3231:Bitwarden 2684:March 27, 2635:March 27, 2609:March 27, 2521:April 10, 2490:April 10, 2457:August 6, 2428:March 21, 2374:April 11, 2198:ElcomSoft 2121:April 20, 1912:does not 1872:, making 1811:password. 1637:jsmith123 1590:DigiNotar 1582:l33th4x0r 1563:password1 1552:bunnyhop! 1540:chameleon 1422:Wikibooks 1401:contains 1230:20 words 1198:18 words 1166:15 words 1134:13 words 1102:10 words 832:All ASCII 713:⁡ 640:word list 390:⁡ 379:⁡ 361:⁡ 332:⁡ 213:fair coin 151:Elcomsoft 99:plaintext 3698:Archived 3676:23942458 3625:22233980 3575:Archived 3557:Archived 3493:Archived 3173:Archived 3136:25 March 3109:Archived 3088:Archived 3081:Kanhef, 3073:Archived 3058:Archived 3041:Archived 3019:Archived 2785:Archived 2766:Archived 2747:Archived 2728:Archived 2704:Archived 2678:Archived 2574:NBC News 2515:Archived 2451:Archived 2422:Archived 2368:Archived 2314:Archived 2310:10648989 2240:(1994). 2221:Archived 2190:Archived 2148:Archived 2082:24 April 2076:BBC News 2031:June 20, 2025:Archived 1992:Phishing 1976:See also 1866:pinray45 1855:rhomboid 1845:diceware 1840:mnemonic 1759:backdoor 1645:555–1234 1641:1/1/1970 1612:passpass 1608:treetree 1604:stopstop 1600:crabcrab 1586:g0ldf1sh 1578:p@ssw0rd 1571:john1234 1567:deer2000 1548:sandbags 1518:password 1070:8 words 1038:7 words 1006:5 words 974:4 words 942:3 words 868:alphabet 855:alphabet 844:Diceware 837:Extended 813:numerals 804:entropy 797:symbols 785:Lengths 753:⌉ 747:⌈ 722:⌉ 694:⌈ 638:Diceware 47:password 34:tool in 3667:3742392 3616:3846346 2337:(ed.). 1933:removed 1918:sources 1818:system. 1522:default 1471:dates). 910:1 word 873:numeric 862:numeric 277:, i.e. 196:shannon 36:KeePass 3674:  3664:  3623:  3613:  3416:17 May 3394:17 May 3372:17 May 3350:17 May 3325:17 May 3303:17 May 3281:17 May 3260:17 May 2992:17 May 2969:17 May 2947:17 May 2923:17 May 2901:17 May 2858:17 May 2836:17 May 2812:  2345:  2308:  2298:  2175:  1723:use a 1627:asdfgh 1623:123456 1619:qwerty 1614:, etc. 1544:RedSox 1416:it to 871:alpha- 860:alpha- 811:Arabic 750:  738:where 656:binary 616:Binary 411:where 297:or log 103:hashed 82:qwerty 3530:(PDF) 3519:(PDF) 3472:5 Aug 3344:(PDF) 3254:(PDF) 3199:Queue 3169:(ACM) 2484:(PDF) 2477:(PDF) 2447:(PDF) 2418:(PDF) 2317:(PDF) 2306:S2CID 2280:(PDF) 2245:(PDF) 2115:(PDF) 2108:(PDF) 1858:made. 1530:guest 1526:admin 1483:of a 1424:, or 866:Latin 853:Latin 839:ASCII 622:or 1 490:keys) 252:(see 236:ASCII 147:GPGPU 3672:PMID 3621:PMID 3501:2008 3474:2016 3444:2008 3418:2021 3396:2021 3374:2021 3352:2021 3327:2021 3305:2021 3283:2021 3262:2021 3138:2019 2994:2021 2971:2021 2949:2021 2925:2021 2903:2021 2860:2021 2838:2021 2810:ISBN 2686:2008 2659:2011 2637:2008 2611:2008 2556:4086 2523:2008 2492:2008 2459:2017 2430:2012 2376:2008 2343:ISBN 2296:ISBN 2202:NTLM 2123:2014 2084:2019 2033:2009 1916:any 1914:cite 1774:much 1502:and 1414:move 1310:and 1283:NIST 835:All 772:i.e. 659:byte 643:7776 624:byte 620:bits 601:All 587:All 573:All 558:All 433:base 425:bits 248:dice 204:bits 101:and 77:NCSC 58:risk 3662:PMC 3652:doi 3611:PMC 3601:doi 3207:doi 2553:RFC 2543:doi 2288:doi 1927:by 1673:not 1357:DES 1259:not 704:log 629:256 607:218 488:WEP 470:PIN 429:log 387:log 376:log 352:log 323:log 285:or 242:). 168:WPA 3767:: 3714:. 3696:. 3692:. 3670:. 3660:. 3648:15 3646:. 3642:. 3619:. 3609:. 3597:14 3595:. 3591:. 3521:. 3460:. 3229:. 3203:10 3201:. 3197:. 3171:. 3164:. 3039:. 3035:. 3017:. 3013:. 3002:^ 2933:^ 2676:. 2572:. 2551:. 2541:. 2513:. 2509:. 2420:. 2392:. 2325:^ 2312:. 2304:. 2294:. 2282:. 2247:. 2196:, 2146:. 2142:. 2131:^ 2092:^ 2074:. 2049:. 2019:. 1770:or 1643:, 1639:, 1625:, 1621:, 1610:, 1606:, 1602:, 1584:, 1580:, 1569:, 1565:, 1554:, 1550:, 1546:, 1542:, 1528:, 1524:, 1520:, 1420:, 1227:33 1224:39 1221:43 1218:45 1215:50 1212:55 1209:64 1206:78 1195:29 1192:35 1189:38 1186:40 1183:44 1180:48 1177:56 1174:68 1163:25 1160:30 1157:33 1154:34 1151:38 1148:41 1145:48 1142:58 1131:21 1128:25 1125:27 1122:29 1119:31 1116:35 1113:40 1110:49 1099:17 1096:20 1093:22 1090:23 1087:25 1084:28 1081:32 1078:39 1067:13 1064:15 1061:17 1058:17 1055:19 1052:21 1049:24 1046:29 1035:11 1032:13 1029:14 1026:15 1023:16 1020:18 1017:20 1014:25 1000:10 997:11 994:12 991:13 988:14 985:16 982:20 953:10 950:13 918:10 778:. 770:, 670:H, 666:L, 654:A 593:95 579:94 565:94 550:62 539:52 525:36 510:26 493:16 475:10 435:. 3724:. 3678:. 3654:: 3627:. 3603:: 3539:. 3503:. 3476:. 3446:. 3420:. 3398:. 3376:. 3354:. 3329:. 3307:. 3285:. 3264:. 3239:. 3215:. 3209:: 3182:. 3140:. 3118:. 2996:. 2973:. 2951:. 2927:. 2905:. 2883:. 2862:. 2840:. 2818:. 2713:. 2688:. 2661:. 2639:. 2613:. 2587:. 2558:. 2545:: 2525:. 2494:. 2461:. 2432:. 2402:. 2378:. 2351:. 2290:: 2157:. 2125:. 2086:. 2060:. 2035:. 1954:) 1948:( 1943:) 1939:( 1935:. 1921:. 1436:) 1432:( 1428:. 1406:. 1304:) 1003:9 971:6 968:7 965:7 962:8 959:8 956:9 939:5 936:5 933:6 930:6 927:7 924:7 921:8 907:2 904:2 901:2 898:2 895:2 892:2 889:2 886:3 806:H 795:N 791:H 787:L 716:N 708:2 699:H 689:= 686:L 674:N 626:) 472:) 459:H 452:N 421:H 417:L 413:N 393:2 382:N 370:L 367:= 364:N 356:2 348:L 345:= 340:L 336:N 327:2 319:= 316:H 303:H 299:2 287:N 283:L 279:N 275:L 271:N 267:L 256:) 80:" 23:.

Index

Password policy

random password generation
KeePass
password
brute-force attacks
risk
security controls
authentication factors
NCSC
qwerty
plaintext
hashed
social media
authentication
cryptographic hash
Secure Hash Algorithm
Password cracking
Georgia Tech Research Institute
GPGPU
Elcomsoft
key stretching
cryptographic key
WPA
rainbow tables
cryptographic salt
information entropy
shannon
information theory
bits

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.