Creating strong passwords

Strong passwords help keep our accounts safer from intruders. While trying not to fall into the notion that overly complex passwords are needed, the goal is to create passwords or passphrases that are easily memorable and yet not easily guessable by anyone else. Canary Consoles implement NIST password guidelines, which boil down to improving your password's entropy.

What is Password Entropy

Password entropy is a measure of password strength — how unpredictable or unguessable a password is. It indicates how effective a password is against hackers attempting to gain access through guessing or a brute-force attack.

A password's entropy depends on both the types of characters used (e.g. lowercase letters, uppercase letters, numerical digits or special characters) and the password length. This is expressed in terms of entropy bits: the lower the entropy count, the easier it is to guess. Conversely, the higher the entropy count, the harder it is to brute-force the password.

How to improve password entropy

To create a password with higher entropy:

1. Use more character types — include lowercase, uppercase, digits and special characters.
2. Make the password longer — longer passwords have higher entropy than shorter passwords.

Autogenerated passwords from most password managers will have very high entropy; our recommendation is to use a password manager and not memorise your passwords.

How many bits of entropy should a password have?

A password’s entropy is determined by calculating the base-2 logarithm of the number of possible characters to the power of the password length.

Entropy = log2(Range of characters ^ length)

Fig. 1. An example of passwords of different strengths

Summary

When creating passwords, using longer strings with a mix of character types improves the password's strength against hackers in a brute-force attempt. This does not necessarily mean creating super complex and immemorable passwords but rather more memorable but unguessable ones.