This document discusses password security and different password strategies. It explains that longer, more complex passwords are harder to guess due to higher entropy. Traditional passwords can have high per-character entropy but are hard to remember and reuse. Proper phrase passwords have overall higher entropy than traditional passwords due to using multiple words, while still being memorable. The document recommends at least 75 bits of entropy, which can be achieved with over 12 random characters or six random words from a large dictionary.

1. Password Security

2. Security
● Password security = difficulty to guess
● More possible passwords = harder to guess
● Longer and more complex passwords = better
passwords

3. Entropy
Informational Entropy (bits): log2
(n)
n = combinations for password
n = a^b
a = valid characters
b = # of characters
Entropy = log2
(ab
)

4. Traditional Passwords
Password: eE7zqv@
Valid Characters (a) = 96
# Characters (b) = 8
Entropy = log2
(968
) = 52.68

5. Traditional Benefits
● High per-character entropy
– Permits small passwords that are still secure
● Good in situations where password length is
limited

6. Traditional Harms
● Hard to remember
● Bad User Habits
– Post-its
– Forms of sharing (e.g. email)
● Low-overall entropy

7. Proper Passwords
Dictionary Based
Example: muddle refresh laureate sanitation
comfort mimic
Actual Password:
muddlerefreshlaureatesanitationcomfortmimic

8. Phrase Passwords (Worst-Case)
Password: copper bleakness foul curious disciple
flesh
Valid “Characters” (Words) (a) = 2048
# Words (b) = 6
Entropy = log2
(20486
) = 66.00

9. Note on Worst-Case Phrase
● Entropy of Dictionary Attack relies on word set
picked from (and assuming hacker knows/uses
this dictionary with no additional words)
● Larger word set = more secure
● 2200 formal noun generators exist
● 7776 common word algorithm exists
– Log2
(77766
) = 77.55

10. Phrase Benefits
● Overall high entropy
● Easy to remember
● Prevents bad user habits

11. Phrase Harms
● Very long length may result in high user error
● Low entropy per-letter but see next slide

12. Phrase Lowercase Letters
Password: copper bleakness foul curious disciple
flesh
Valid Characters (a) = 26
# Characters (b) = 40
Entropy = log2
(2640
) = 188.02

13. Phrase All Characters
Password: copper bleakness foul curious disciple
flesh
Valid Characters (a) = 96
# Characters (b) = 40
Entropy = log2
(9640
) = 263.40

14. Entropy Summary
Traditional Entropy: 52.68
Phrase Worst-Case Entropy: 77.5
Phrase Best-Case Entropy: 263.40
User Habits Are Much More Important

15. Entropy Recommendations
● Recent paper suggests entropy at least ~75 for
vital info
● This means >12 random characters or six
random words from 7776 word dictionary (7
words from 2048 word dictionary)

16. Summary
Old, Less-Secure Way: `=RD~:7Zz"2h
New, More-Secure Way: rich clam flytrap frisky
empty serenity parasite

17. Password