Password

strength

Password strength is a measure of t he effect iveness of a password against

guessing or brut e-force at t acks. In it s usual form, it est imat es how many t rials an
at t acker who does not have direct access t o t he password would need, on average,
t o guess it correct ly. The st rengt h of a password is a funct ion of lengt h, complexit y,
and unpredict abilit y.[1]
 Options menu of the random password
generation tool in Bitwarden. Enabling more
character subsets raises the strength of
generated passwords a small amount,
whereas increasing their length raises the
strength a large amount.

Using st rong passwords lowers t he overall risk of a securit y breach, but st rong
passwords do not replace t he need for ot her effect ive securit y cont rols.[2] The
effect iveness of a password of a given st rengt h is st rongly det ermined by t he design
and implement at ion of t he aut hent icat ion fact ors (knowledge, ownership, inherence).
The first fact or is t he main focus of t his art icle.

The rat e at which an at t acker can submit guessed passwords t o t he syst em is a key
fact or in det ermining syst em securit y. Some syst ems impose a t ime-out of several
seconds aft er a small number (e.g. t hree) of failed password ent ry at t empt s. In t he
absence of ot her vulnerabilit ies, such syst ems can be effect ively secured wit h
relat ively simple passwords. However, t he syst em st ore informat ion about t he user's
passwords in some form and if t hat informat ion is st olen, say by breaching syst em
securit y, t he user's passwords can be at risk.

In 2019, t he Unit ed Kingdom's NCSC analyzed public dat abases of breached account s
t o see which words, phrases, and st rings people used. The most popular password on
t he list was 123456, appearing in more t han 23 million passwords. The second-most
popular st ring, 123456789, was not much harder t o crack, while t he t op five included
" t " " d" d 1111111 [3]
Password creation
Passwords are creat ed eit her aut omat ically (using randomizing equipment ) or by a
human; t he lat t er case is more common. While t he st rengt h of randomly chosen
passwords against a brut e-force at t ack can be calculat ed wit h precision, det ermining
t he st rengt h of human-generat ed passwords is difficult .

Typically, humans are asked t o choose a password, somet imes guided by suggest ions
or rest rict ed by a set of rules, when creat ing a new account for a comput er syst em or
int ernet websit e. Only rough est imat es of st rengt h are possible since humans t end t o
follow pat t erns in such t asks, and t hose pat t erns can usually assist an at t acker.[4] In
addit ion, list s of commonly chosen passwords are widely available for use by
password-guessing programs. Such list s include t he numerous online dict ionaries for
various human languages, breached dat abases of plaint ext and hashed passwords
from various online business and social account s, along wit h ot her common
passwords. All it ems in such list s are considered weak, as are passwords t hat are
simple modificat ions of t hem.

Alt hough random password generat ion programs are available nowadays which are
meant t o be easy t o use, t hey usually generat e random, hard-t o-remember passwords,
oft en result ing in people preferring t o choose t heir own. However, t his is inherent ly
insecure because t he person's lifest yle, ent ert ainment preferences, and ot her key
individualist ic qualit ies usually come int o play t o influence t he choice of password,
while t he prevalence of online social media has made obt aining informat ion about
people much easier.

Password guess
validation
Syst ems t hat use passwords for aut hent icat ion must have some way t o check any
password ent ered t o gain access. If t he valid passwords are simply st ored in a syst em
file or dat abase, an at t acker who gains sufficient access t o t he syst em will obt ain all
user passwords, giving t he at t acker access t o all account s on t he at t acked syst em
and possibly ot her syst ems where users employ t he same or similar passwords. One
way t o reduce t his risk is t o st ore only a crypt ographic hash of each password inst ead
of t he password it self. St andard crypt ographic hashes, such as t he Secure Hash
Algorit hm (SHA) series, are very hard t o reverse, so an at t acker who get s hold of t he
hash value cannot direct ly recover t he password. However, knowledge of t he hash
value let s t he at t acker quickly t est guesses offline. Password cracking programs are
widely available t hat will t est a large number of t rial passwords against a purloined
crypt ographic hash.

Improvement s in comput ing t echnology keep increasing t he rat e at which guessed

passwords can be t est ed. For example, in 2010, t he Georgia Tech Research Inst it ut e
developed a met hod of using GPGPU t o crack passwords much fast er.[5] Elcomsoft
invent ed t he usage of common graphic cards for quicker password recovery in August
2007 and soon filed a corresponding pat ent in t he US.[6] By 2011, commercial product s
were available t hat claimed t he abilit y t o t est up t o 112,000 passwords per second on
a st andard deskt op comput er, using a high-end graphics processor for t hat t ime.[7]
Such a device will crack a six-let t er single-case password in one day. The work can be
dist ribut ed over many comput ers for an addit ional speedup proport ional t o t he
number of available comput ers wit h comparable GPUs. Special key st ret ching hashes
are available t hat t ake a relat ively long t ime t o comput e, reducing t he rat e at which
guessing can t ake place. Alt hough it is considered best pract ice t o use key st ret ching,
many common syst ems do not .

Anot her sit uat ion where quick guessing is possible is when t he password is used t o
form a crypt ographic key. In such cases, an at t acker can quickly check t o see if a
guessed password successfully decodes encrypt ed dat a. For example, one
commercial product claims t o t est 103,000 WPA PSK passwords per second.[8]

If a password syst em only st ores t he hash of t he password, an at t acker can pre-

comput e hash values for common password variant s and all passwords short er t han a
cert ain lengt h, allowing very rapid recovery of t he password once it s hash is obt ained.
Very long list s of pre-comput ed password hashes can be efficient ly st ored using
rainbow t ables. This met hod of at t ack can be foiled by st oring a random value, called
a crypt ographic salt , along wit h t he hash. The salt is combined wit h t he password
when comput ing t he hash, so an at t acker precomput ing a rainbow t able would have t o
st ore for each password it s hash wit h every possible salt value. This becomes
infeasible if t he salt has a big enough range, say a 32-bit number. Many aut hent icat ion
syst ems in common use do not employ salt s and rainbow t ables are available on t he
Int ernet for several such syst ems.

Entropy as a measure of
password strength
Password st rengt h is specified by t he amount of informat ion ent ropy, which is
measured in shannon (Sh) and is a concept from informat ion t heory. It can be regarded
as t he minimum number of bit s necessary t o hold t he informat ion in a password of a
given t ype. A relat ed measure is t he base-2 logarit hm of t he number of guesses
needed t o find t he password wit h cert aint y, which is commonly referred t o as t he
"bit s of ent ropy".[9] A password wit h 42 bit s of ent ropy would be as st rong as a st ring
of 42 bit s chosen randomly, for example by a fair coin t oss. Put anot her way, a
password wit h 42 bit s of ent ropy would require 242 (4,398,046,511,104) at t empt s t o
exhaust all possibilit ies during a brut e force search. Thus, increasing t he ent ropy of
t he password by one bit doubles t he number of guesses required, making an
at t acker's t ask t wice as difficult . On average, an at t acker will have t o t ry half t he
possible number of passwords before finding t he correct one.[4]

Random passwords
Random passwords consist of a st ring of symbols of specified lengt h t aken from
some set of symbols using a random select ion process in which each symbol is
equally likely t o be select ed. The symbols can be individual charact ers from a
charact er set (e.g., t he ASCII charact er set ), syllables designed t o form
The st rengt h of random passwords depends on t he act ual ent ropy of t he underlying
number generat or; however, t hese are oft en not t ruly random, but pseudorandom.
Many publicly available password generat ors use random number generat ors found in
programming libraries t hat offer limit ed ent ropy. However, most modern operat ing
syst ems offer crypt ographically st rong random number generat ors t hat are suit able
for password generat ion. It is also possible t o use ordinary dice t o generat e random
passwords . Random password programs oft en can ensure t hat t he result ing password
complies wit h a local password policy; for inst ance, by always producing a mix of
let t ers, numbers, and special charact ers.

For passwords generat ed by a process t hat randomly select s a st ring of symbols of

lengt h, L, from a set of N possible symbols, t he number of possible passwords can be
found by raising t he number of symbols t o t he power L, i.e. NL. Increasing eit her L or N
will st rengt hen t he generat ed password. The st rengt h of a random password as
measured by t he informat ion ent ropy is just t he base-2 logarit hm or log2 of t he
number of possible passwords, assuming each symbol in t he password is produced
independent ly. Thus a random password's informat ion ent ropy, H, is given by t he
formula:

where N is t he number of possible symbols and L is t he number of symbols in t he

password. H is measured in bit s.[4][10] In t he last expression, log can be t o any base.
 Ent ropy per symbol for different symbol set s

Symbol Entropy per

Symbol set count symbol
N H

Arabic numerals (0–9) (e.g. PIN) 10 3.322 bit s

Hexadecimal numerals (0–9, A–F) (e.g. WEP

16 4.000 bit s
keys)

Case insensit ive Lat in alphabet (a–z or A–Z) 26 4.700 bit s

Case insensit ive alphanumeric (a–z or A–Z,

36 5.170 bit s
0–9)

Case sensit ive Lat in alphabet (a–z, A–Z) 52 5.700 bit s

Case sensit ive alphanumeric (a–z, A–Z, 0–9) 62 5.954 bit s

All ASCII print able charact ers except space 94 6.555 bit s

All Lat in-1 Supplement charact ers 94 6.555 bit s

All ASCII print able charact ers 95 6.570 bit s

All ext ended ASCII print able charact ers 218 7.768 bit s

Binary (0–255 or 8 bit s or 1 byt e) 256 8.000 bit s

12.925 bit s per

Diceware word list 7776
word

A binary byt e is usually expressed using t wo hexadecimal charact ers.

To find t he lengt h, L, needed t o achieve a desired st rengt h H, wit h a password drawn

randomly from a set of N symbols, one comput es:

where denot es t he mat hemat ical ceiling funct ion, i.e. rounding up t o t he next
largest whole number.

The following t able uses t his formula t o show t he required lengt hs of t ruly randomly
generat ed passwords t o achieve desired password ent ropies for common symbol
set s:
Lengt hs L of t ruly randomly generat ed passwords required to achieve a desired password
ent ropy H for symbol set s cont aining N symbols

All
Desired Case insensitive Case sensitive E
Arabic ASCII
password Hexadecimal
numerals
entropy H Latin alpha- Latin alpha- print
alphabet numeric alphabet numeric chara

8 bit s (1
3 2 2 2 2 2 2 2
byt e)

32 bit s (4
10 8 7 7 6 6 5 5
byt es)

40 bit s (5
13 10 9 8 8 7 7 6
byt es)

64 bit s (8
20 16 14 13 12 11 10 9
byt es)

80 bit s
25 20 18 16 15 14 13 1
(10 byt es)

96 bit s
29 24 21 19 17 17 15 1
(12 byt es)

128 bit s
39 32 28 25 23 22 20 1
(16 byt es)

160 bit s
49 40 35 31 29 27 25 2
(20 byt es)

192 bit s
58 48 41 38 34 33 30 2
(24 byt es)

224 bit s
68 56 48 44 40 38 35 2
(28 byt es)

256 bit s
78 64 55 50 45 43 39 3
(32 byt es)

Human-generated passwords
People are not oriously poor at achieving sufficient ent ropy t o produce sat isfact ory
passwords. According t o one st udy involving half a million users, t he average password
ent ropy was est imat ed at 40.54 bit s.[11]

Thus, in one analysis of over 3 million eight -charact er passwords, t he let t er "e" was
used over 1.5 million t imes, while t he let t er "f" was used only 250,000 t imes. A uniform
dist ribut ion would have had each charact er being used about 900,000 t imes. The most
common number used is "1", whereas t he most common let t ers are a, e, o, and r.[12]

Users rarely make full use of larger charact er set s in forming passwords. For example,
hacking result s obt ained from a MySpace phishing scheme in 2006 revealed 34,000
passwords, of which only 8.3% used mixed case, numbers, and symbols.[13]

The full st rengt h associat ed wit h using t he ent ire ASCII charact er set (numerals,
mixed case let t ers, and special charact ers) is only achieved if each possible password
is equally likely. This seems t o suggest t hat all passwords must cont ain charact ers
from each of several charact er classes, perhaps upper and lower-case let t ers,
numbers, and non-alphanumeric charact ers. Such a requirement is a pat t ern in
password choice and can be expect ed t o reduce an at t acker's "work fact or" (in
Claude Shannon's t erms). This is a reduct ion in password "st rengt h". A bet t er
requirement would be t o require a password not t o cont ain any word in an online
dict ionary, or list of names, or any license plat e pat t ern from any st at e (in t he US) or
count ry (as in t he EU). If pat t erned choices are required, humans are likely t o use t hem
in predict able ways, such as capit alizing a let t er, adding one or t wo numbers, and a
special charact er. This predict abilit y means t hat t he increase in password st rengt h is
minor when compared t o random passwords.

Password Safety Awareness Projects

Google developed Int erland t each t he kid int ernet audience safet y on int ernet . On t he
chapt er called Tower Of Tresure it is advised t o use unusual names paired wit h
charact ers like (₺&@#%) wit h a game.[14]

NIST Special Publication 800-63-2

NIST Special Publicat ion 800-63 of June 2004 (revision t wo) suggest ed a scheme t o
approximat e t he ent ropy of human-generat ed passwords:[4]
Using t his scheme, an eight -charact er human-select ed password wit hout uppercase
charact ers and non-alphabet ic charact ers OR wit h eit her but of t he t wo charact er
set s is est imat ed t o have eight een bit s of ent ropy. The NIST publicat ion concedes
t hat at t he t ime of development , lit t le informat ion was available on t he real-world
select ion of passwords. Lat er research int o human-select ed password ent ropy using
newly available real-world dat a has demonst rat ed t hat t he NIST scheme does not
provide a valid met ric for ent ropy est imat ion of human-select ed passwords.[15] The
June 2017 revision of SP 800-63 (Revision t hree) drops t his approach.[16]

Usability and implementation

considerations
Because nat ional keyboard implement at ions vary, not all 94 ASCII print able charact ers
can be used everywhere. This can present a problem t o an int ernat ional t raveler who
wished t o log int o a remot e syst em using a keyboard on a local comput er . Many
handheld devices, such as t ablet comput ers and smart phones, require complex shift
sequences or keyboard app swapping t o ent er special charact ers.

Aut hent icat ion programs can vary as t o t he list of allowable password charact ers.
Some do not recognize case differences (e.g., t he upper-case "E" is considered
equivalent t o t he lower-case "e"), and ot hers prohibit some of t he ot her symbols. In
t he past few decades, syst ems have permit t ed more charact ers in passwords, but
limit at ions st ill exist . Syst ems also vary as t o t he maximum lengt h of passwords
allowed.

As a pract ical mat t er, passwords must be bot h reasonable and funct ional for t he end
user as well as st rong enough for t he int ended purpose. Passwords t hat are t oo
difficult t o remember may be forgot t en and so are more likely t o be writ t en on paper,
which some consider a securit y risk.[17] In cont rast , ot hers argue t hat forcing users t o
remember passwords wit hout assist ance can only accommodat e weak passwords,
and t hus poses a great er securit y risk. According t o Bruce Schneier, most people are
good at securing t heir wallet s or purses, which is a "great place" t o st ore a writ t en
password.[18]
Required bits of entropy
The minimum number of bit s of ent ropy needed for a password depends on t he t hreat
model for t he given applicat ion. If key st ret ching is not used, passwords wit h more
ent ropy are needed. RFC 4086, "Randomness Requirement s for Securit y", published
June 2005, present s some example t hreat models and how t o calculat e t he ent ropy
desired for each one.[19] Their answers vary bet ween 29 bit s of ent ropy needed if only
online at t acks are expect ed, and up t o 96 bit s of ent ropy needed for import ant
crypt ographic keys used in applicat ions like encrypt ion where t he password or key
needs t o be secure for a long period and st ret ching isn't applicable. A 2010 Georgia
Tech Research Inst it ut e st udy based on unst ret ched keys recommended a 12-
charact er random password but as a minimum lengt h requirement .[5][20] It pays t o bear
in mind t hat since comput ing power cont inually grows, t o prevent offline at t acks t he
required number of bit s of ent ropy should also increase over t ime.

The upper end is relat ed t o t he st ringent requirement s of choosing keys used in

encrypt ion. In 1999, an Elect ronic Front ier Foundat ion project broke 56-bit DES
encrypt ion in less t han a day using specially designed hardware.[21] In 2002,
distributed.net cracked a 64-bit key in 4 years, 9 mont hs, and 23 days.[22] As of
Oct ober 12, 2011, distributed.net est imat es t hat cracking a 72-bit key using current
hardware will t ake about 45,579 days or 124.8 years.[23] Due t o current ly underst ood
limit at ions from fundament al physics, t here is no expect at ion t hat any digit al
comput er (or combinat ion) will be capable of breaking 256-bit encrypt ion via a brut e-
force at t ack.[24] Whet her or not quant um comput ers will be able t o do so in pract ice is
st ill unknown, t hough t heoret ical analysis suggest s such possibilit ies.[25]

Guidelines for strong

passwords
Common guidelines
Guidelines for choosing good passwords are t ypically designed t o make passwords
harder t o discover by int elligent guessing. Common guidelines advocat ed by
proponent s of soft ware syst em securit y have included:[26][27][28][29][30]

Consider a minimum password

length of 8[31] characters as a
general guide. Both the US and UK
cyber security departments
recommend long and easily
memorable passwords over short
complex ones.[32][33]
Generate passwords randomly
where feasible.
Avoid using the same password
twice (e.g. across multiple user
accounts and/or software
systems).
Avoid character repetition, keyboard
patterns, dictionary words, and
sequential letters or numbers.
Avoid using information that is or
might become publicly associated
with the user or the account, such
as the user name, ancestors'
names, or dates.
Avoid using information that the
user's colleagues and/or
acquaintances might know to be
associated with the user, such as
relatives or pet names, romantic
links (current or past), and
 biographical information (e.g. ID
numbers, ancestors' names or
dates).
Do not use passwords that consist
wholly of any simple combination
of the aforementioned weak
components.
Forcing t he inclusion of lowercase let t ers, uppercase let t ers, numbers, and symbols in
passwords was a common policy but has been found t o decrease securit y, by making
it easier t o crack. Research has shown how predict able t he common use of such
symbols are, and t he US [34] and UK[35] government cyber securit y depart ment s advise
against forcing t heir inclusion in password policy. Complex symbols also make
remembering passwords much harder, which increases writ ing down, password reset s,
and password reuse – all of which lower rat her t han improve password securit y. The
original aut hor of password complexit y rules, Bill Burr, has apologized and admit s t hey
decrease securit y, as research has found; t his was widely report ed in t he media in
2017.[36] Online securit y researchers[37] and consult ant s are also support ive of t he
change [38] in best pract ice advice on passwords.

Some guidelines advise against writ ing passwords down, while ot hers, not ing t he large
numbers of password-prot ect ed syst ems users must access, encourage writ ing down
passwords as long as t he writ t en password list s are kept in a safe place, not at t ached
t o a monit or or in an unlocked desk drawer.[39] Use of a password manager is
recommended by t he NCSC.[40]

The possible charact er set for a password can be const rained by different websit es
or by t he range of keyboards on which t he password must be ent ered.[41]
Examples of weak passwords
As wit h any securit y measure, passwords vary in st rengt h; some are weaker t han
ot hers. For example, t he difference in st rengt h bet ween a dict ionary word and a word
wit h obfuscat ion (e.g. let t ers in t he password are subst it ut ed by, say, numbers — a
common approach) may cost a password-cracking device a few more seconds; t his
adds lit t le st rengt h. The examples below illust rat e various ways weak passwords
might be const ruct ed, all of which are based on simple pat t erns which result in
ext remely low ent ropy, allowing t hem t o be t est ed aut omat ically at high speeds.:[12]

Default passwords (as supplied by

the system vendor and meant to be
changed at installation time):
password, default, admin, guest, etc.
Lists of default passwords are
widely available on the internet.
Reused passwords: Passwords
should be unique to a particular
account. Altering reused
passwords, such as changing a few
letters or numbers, does not
provide sufficient security.
Dictionary words: chameleon,
RedSox, sandbags, bunnyhop!,
IntenseCrabtree, etc., including
words in non-English dictionaries.
Words with numbers appended:
password1, deer2000, john1234,
etc., can be easily tested
automatically with little lost time.
Munged passwords (words with
simple obfuscation): p@ssw0rd,
l33th4x0r, g0ldf1sh, etc., can be
tested automatically with little
additional effort. For example, a
domain administrator password
compromised in the DigiNotar
attack was reportedly
Pr0d@dm1n.[42]
Doubled words: crabcrab, stopstop,
treetree, passpass, etc.
Common sequences from a
keyboard row: qwerty, 123456,
asdfgh, etc. including diagonal or
backward sequences (qazplm,
ytrewq, etc).
Numeric sequences based on well
known numbers such as 911 (9-1-1,
9/11), 314159... (pi), 27182... (e), 112
(1-1-2), etc.
Identifiers: jsmith123, 1/1/1970,
555–1234, one's username, etc.
Weak passwords in non-English
languages, such as contraseña
(Spanish) and ji32k7au4a83
(bopomofo keyboard encoding
from Chinese)[43]
Anything personally related to an
individual: license plate number,
Social Security number, current or
past telephone numbers, student ID,
current address, previous
addresses, birthday, sports team,
relative's or pet's
names/nicknames/birthdays/initial
s, etc., can easily be tested
 automatically after a simple
investigation of a person's details.
Dates: dates follow a pattern and
make your password weak.
Names of well-known locations:
New York, Texas, China, London,
etc.
Names of brands, celebrities,
sports teams, musical groups, TV
shows, movies, etc.
Short passwords: Even if a
password doesn't have any of the
weaknesses listed above, if it is too
short, it can be easily cracked.
There are many ot her ways a password can be weak,[44] corresponding t o t he
st rengt hs of various at t ack schemes; t he core principle is t hat a password should
have high ent ropy (usually t aken t o be equivalent t o randomness) and not be readily
ident ifying t he user. Online services oft en provide a rest ore password funct ion t hat a
hacker can figure out and by doing so bypass a password.

Rethinking password change

guidelines
In t he landscape of 2012, as delineat ed by William Cheswick in an art icle for ACM
magazine, password securit y predominant ly emphasized an alpha-numeric password of
eight charact ers or more. Such a password, it was deduced, could resist t en million
at t empt s per second for a durat ion of 252 days. However, wit h t he assist ance of
cont emporary GPUs at t he t ime, t his period was t runcat ed t o just about 9 hours, given
a cracking rat e of 7 billion at t empt s per second. A 13-charact er password was
est imat ed t o wit hst and GPU-comput ed at t empt s for over 900,000 years.[45][46]

In t he cont ext of 2023 hardware t echnology, t he 2012 st andard of an eight -charact er

alpha-numeric password has become vulnerable, succumbing in a few hours. The t ime
needed t o crack a 13-charact er password is reduced t o a few years. The current
emphasis, t hus, has shift ed. Password st rengt h is now gauged not just by it s
complexit y but it s lengt h, wit h recommendat ions leaning t owards passwords
comprising at least 13-16 charact ers. This era has also seen t he rise of Mult i-Fact or
Aut hent icat ion (MFA) as a crucial fort ificat ion measure. The advent and widespread
adopt ion of password managers have furt her aided users in cult ivat ing and maint aining
an array of st rong, unique passwords.[47]

Password policy
A password policy is a guide t o choosing sat isfact ory passwords. It is int ended t o:
 assist users in choosing strong
passwords
ensure the passwords are suited to
the target population
Provide recommendations for
users concerning the handling of
their passwords
impose a recommendation to
change any password which has
been lost or suspected of
compromise
use a password blacklist to block
the use of weak or easily guessed
passwords.
Previous password policies used t o prescribe t he charact ers which passwords must
cont ain, such as numbers, symbols, or upper/lower case. While t his is st ill in use, it has
been debunked as less secure by universit y research,[48] by t he original inst igat or[49] of
securit y bodies[50]) of USA[51] and UK.[52] Password complexit y rules of enforced
symbols were previously used by major plat forms such as Google [53] and Facebook,[54]
but t hese have removed t he requirement following t he discovery t hat t hey act ually
reduced securit y. This is because t he human element is a far great er risk t han
cracking, and enforced complexit y leads most users t o highly predict able pat t erns
(number at t he end, swap 3 for E, et c.) which helps crack passwords. So password
simplicit y and lengt h (passphrases) are t he new best pract ice and complexit y is
discouraged. Forced complexit y rules also increase support cost s, and user frict ion
and discourage user signups.

Password expirat ion was in some older password policies but has been debunked[36]
as best pract ice and is not support ed by USA or UK government s, or Microsoft which
removed[55] t he password expiry feat ure. Password expirat ion was previously t rying t o
serve t wo purposes:[56]

If the time to crack a password is

estimated to be 100 days,
password expiration times fewer
than 100 days may help ensure
insufficient time for an attacker.
If a password has been
compromised, requiring it to be
changed regularly may limit the
access time for the attacker.
However, password expirat ion has it s drawbacks:[57][58]
Asking users to change passwords
frequently encourages simple, weak
passwords.
If one has a truly strong password,
there is little point in changing it.
Changing passwords that are
already strong introduces a risk
that the new password may be less
strong.
A compromised password is likely
to be used immediately by an
attacker to install a backdoor, often
via privilege escalation. Once this is
accomplished, password changes
won't prevent future attackers from
accessing them.
 Moving from never changing one's
password to changing the
password on every authenticate
attempt (pass or fail attempts) only
doubles the number of attempts the
attacker must make on average
before guessing the password in a
brute force attack. One gains much
more security by just increasing the
password length by one character
than changing the password on
every use.

Creating and handling passwords

The hardest passwords t o crack, for a given lengt h and charact er set , are random
charact er st rings; if long enough t hey resist brut e force at t acks (because t here are
many charact ers) and guessing at t acks (due t o high ent ropy). However, such
passwords are t ypically t he hardest t o remember. The imposit ion of a requirement for
such passwords in a password policy may encourage users t o writ e t hem down, st ore
t hem in mobile devices or share t hem wit h ot hers as a safeguard against memory
failure. While some people consider each of t hese user resort s t o increase securit y
risks, ot hers suggest t he absurdit y of expect ing users t o remember dist inct complex
passwords for each of t he dozens of account s t hey access. For example, in 2005,
securit y expert Bruce Schneier recommended writ ing down one's password:

Simply, people can no longer remember passwords good enough to

reliably defend against dictionary attacks, and are much more secure if
they choose a password too complicated to remember and then write it
down. We're all good at securing small pieces of paper. I recommend that
people write their passwords down on a small piece of paper, and keep it
with their other valuable small pieces of paper: in their wallet.[39]

The following measures may increase accept ance of st rong password requirement s if
carefully used:

a training program. Also, updated

training for those who fail to follow
the password policy (lost
passwords, inadequate passwords,
etc.).
rewarding strong password users
by reducing the rate, or eliminating,
the need for password changes
(password expiration). The strength
of user-chosen passwords can be
estimated by automatic programs
which inspect and evaluate
proposed passwords when setting
or changing a password.
displaying to each user the last
login date and time in the hope that
the user may notice unauthorized
access, suggesting a compromised
password.
allowing users to reset their
passwords via an automatic
system, which reduces help desk
call volume. However, some
systems are themselves insecure;
for instance, easily guessed or
 researched answers to password
reset questions bypass the
advantages of a strong password
system.
using randomly generated
passwords that do not allow users
to choose their passwords, or at
least offering randomly generated
passwords as an option.

Memory techniques
Password policies somet imes suggest memory t echniques t o assist remembering
passwords:

mnemonic passwords: Some users

develop mnemonic phrases and
use them to generate more or less
random passwords which are
nevertheless relatively easy for the
user to remember. For instance, the
first letter of each word in a
memorable phrase. Research
estimates the password strength of
such passwords to be about 3.7
bits per character, compared to the
6.6 bits for random passwords
from ASCII printable characters.[59]
Silly ones are possibly more
memorable.[60] Another way to
make random-appearing
passwords more memorable is to
use random words (see diceware)
or syllables instead of randomly
chosen letters.
after-the-fact mnemonics: After the
password has been established,
invent a mnemonic that fits.[61] It
does not have to be reasonable or
sensible, only memorable. This
allows passwords to be random.
visual representations of
passwords: a password is
memorized based on a sequence of
keys pressed, not the values of the
keys themselves, e.g. a sequence
!qAsdE#2 represents a rhomboid
on a US keyboard. The method to
produce such passwords is called
PsychoPass.[62] Passwords
produced by this method are much
weaker than their length suggests,
since successive keys are not
independent and common
keyboard sequences are included in
password dictionaries. But some
improvements can be made.[63][64]
password patterns: Any pattern in a
password makes guessing
(automated or not) easier and
reduces an attacker's work factor.
For example, passwords of the
following case-insensitive
form: consonant, vowel,
consonant, consonant, vowel,
consonant, number, number
(for example pinray45) are
called Environ passwords. The
pattern of alternating vowel
and consonant characters was
intended to make passwords
more likely to be
pronounceable and thus more
memorable. Such patterns
severely reduce the password's
information entropy, making
brute force password attacks
considerably more efficient. In
the UK in October 2005,
employees of the British
government were advised to
use passwords in this form.
Password managers
A reasonable compromise for using large numbers of passwords is t o record t hem in a
password manager program, which include st and-alone applicat ions, web browser
ext ensions, or a manager built int o t he operat ing syst em. A password manager allows
t he user t o use hundreds of different passwords, and only have t o remember a single
password, t he one which opens t he encrypt ed password dat abase.[65] Needless t o
say, t his single password should be st rong and well-prot ect ed (not recorded
anywhere). Most password managers can aut omat ically creat e st rong passwords
using a crypt ographically secure random password generat or, as well as calculat ing
t he ent ropy of t he generat ed password. A good password manager will provide
resist ance against at t acks such as key logging, clipboard logging and various ot her
memory spying t echniques.

See also

Keystroke logging
Passphrase
Phishing
Vulnerability (computing)

References
1. "Cyber Security Tip ST04-002" (ht
tp://www.us-cert.gov/cas/tips/ST
04-002.html) . Choosing and
Protecting Passwords. US CERT.
21 May 2009. Archived (https://w
eb.archive.org/web/2009070714
1138/http://www.us-cert.gov/ca
s/tips/ST04-002.html) from the
original on July 7, 2009. Retrieved
June 20, 2009.
2. "Why User Names and
Passwords Are Not Enough |
SecurityWeek.Com" (https://www.
securityweek.com/why-user-nam
es-and-passwords-are-not-enoug
h) . www.securityweek.com. 31
January 2019. Retrieved
2020-10-31.
3. "Millions using 123456 as
password, security study finds" (h
ttps://www.bbc.com/news/techn
ology-47974583) . BBC News. 21
April 2019. Retrieved 24 April
2019.
4. "SP 800-63 – Electronic
Authentication Guideline" (https://
web.archive.org/web/200407121
52833/http://csrc.nist.gov/public
ations/nistpubs/800-63/SP800-6
3v6_3_3.pdf) (PDF). NIST.
Archived from the original (http://
csrc.nist.gov/publications/nistpu
bs/800-63/SP800-63v6_3_3.pdf)
(PDF) on July 12, 2004. Retrieved
April 20, 2014.
5. "Teraflop Troubles: The Power of
Graphics Processing Units May
Threaten the World's Password
Security System" (http://www.gtri.
gatech.edu/casestudy/Teraflop-T
roubles-Power-Graphics-Processi
ng-Units-GPUs-Password-Security
-System) . Georgia Tech
Research Institute. Archived (http
s://web.archive.org/web/201012
30063449/http://www.gtri.gatec
h.edu/casestudy/Teraflop-Troubl
es-Power-Graphics-Processing-U
nits-GPUs-Password-Security-Sy
stem) from the original on 2010-
12-30. Retrieved 2010-11-07.
6. US patent 7929707 (https://world
wide.espacenet.com/textdoc?DB
=EPODOC&IDX=US7929707) ,
Andrey V. Belenko, "Use of
graphics processors as parallel
math co-processors for password
recovery", issued 2011-04-19,
assigned to Elcomsoft Co. Ltd.
7. Elcomsoft.com (http://www.elco
msoft.com/eprb.html#gpu)
Archived (https://web.archive.or
g/web/20061017173506/http://
www.elcomsoft.com/eprb.html)
2006-10-17 at the Wayback
Machine, ElcomSoft Password
Recovery Speed table, NTLM
passwords, Nvidia Tesla S1070
GPU, accessed 2011-02-01
8. Elcomsoft Wireless Security
Auditor, HD5970 GPU (http://ww
w.elcomsoft.com/ewsa.html)
Archived (https://web.archive.or
g/web/20110219131825/http://
www.elcomsoft.com/ewsa.html)
2011-02-19 at the Wayback
Machine accessed 2011-02-11
9. James Massey (1994). "Guessing
and entropy" (http://www.isiweb.e
e.ethz.ch/archive/massey_pub/p
df/BI633.pdf) (PDF).
Proceedings of 1994 IEEE
International Symposium on
Information Theory. IEEE. p. 204.
10. Schneier, B: Applied
Cryptography, 2e, page 233 ff.
John Wiley and Sons.
11. Florencio, Dinei; Herley, Cormac
(May 8, 2007). "A large-scale
study of web password habits" (h
ttp://research.microsoft.com/pub
s/74164/www2007.pdf) (PDF).
Proceedings of the 16th
international conference on World
Wide Web. p. 657.
doi:10.1145/1242572.1242661
(https://doi.org/10.1145%2F1242
572.1242661) .
ISBN 9781595936547.
S2CID 10648989 (https://api.sem
anticscholar.org/CorpusID:1064
8989) . Archived (https://web.arc
hive.org/web/20150327031521/
 http://research.microsoft.com/pu
bs/74164/www2007.pdf) (PDF)
from the original on March 27,
2015.
12. Burnett, Mark (2006). Kleiman,
Dave (ed.). Perfect Passwords.
Rockland, Massachusetts:
Syngress Publishing. p. 181.
ISBN 978-1-59749-041-2.
13. Bruce Schneier (December 14,
2006). "MySpace Passwords
aren't so Dumb" (http://archive.wir
ed.com/politics/security/comme
ntary/securitymatters/2006/12/7
2300?currentPage=all) . Wired
Magazine. Archived (https://web.
archive.org/web/2014052103135
4/http://archive.wired.com/politic
s/security/commentary/security
matters/2006/12/72300?current
Page=all) from the original on
May 21, 2014. Retrieved April 11,
2008.
14. "Play Interland - Be Internet
Awesome" (https://beinternetawe
some.withgoogle.com/en_us/inte
rland/) . Play Interland - Be
Internet Awesome. Retrieved
2024-09-10.
15. Matt Weir; Susdhir Aggarwal;
Michael Collins; Henry Stern (7
October 2010). "Testing Metrics
for Password Creation Policies by
Attacking Large Sets of Revealed
Passwords" (http://reusablesec.bl
ogspot.com/2010/10/new-paper-
on-password-security-metrics.ht
ml) (PDF). Archived (https://web.
archive.org/web/2012070612470
4/http://reusablesec.blogspot.co
m/2010/10/new-paper-on-passw
ord-security-metrics.html) from
the original on July 6, 2012.
Retrieved March 21, 2012.
16. "SP 800-63-3 – Digital Identity
Guidelines" (https://pages.nist.go
v/800-63-3) (PDF). NIST. June
2017. Archived (https://web.archi
ve.org/web/20170806142240/htt
ps://pages.nist.gov/800-63-3/)
from the original on August 6,
2017. Retrieved August 6, 2017.
17. A. Allan. "Passwords are Near the
Breaking Point" (https://web.archi
ve.org/web/20060427032938/htt
p://www.indevis.de/dokumente/g
artner_passwords_breakpoint.pd
f) (PDF). Gartner. Archived from
the original (http://www.indevis.d
e/dokumente/gartner_passwords
_breakpoint.pdf) (PDF) on April
27, 2006. Retrieved April 10,
2008.
18. Bruce Schneier. "Schneier on
Security" (http://www.schneier.co
m/blog/archives/2005/06/write_
down_your.html) . Write Down
Your Password. Archived (https://
web.archive.org/web/200804130
32636/http://www.schneier.com/
blog/archives/2005/06/write_do
wn_your.html) from the original
on April 13, 2008. Retrieved
April 10, 2008.
19. Randomness Requirements for
Security (https://datatracker.ietf.o
rg/doc/html/rfc4086) .
doi:10.17487/RFC4086 (https://d
oi.org/10.17487%2FRFC4086) .
RFC 4086 (https://datatracker.iet
f.org/doc/html/rfc4086) .
20. "Want to deter hackers? Make
your password longer" (https://we
b.archive.org/web/20130711022
009/http://www.nbcnews.com/id/
38771772/) . NBC News. 2010-
08-19. Archived from the original
(http://www.nbcnews.com/id/387
71772) on July 11, 2013.
Retrieved 2010-11-07.
21. "EFF DES Cracker machine brings
honesty to crypto debate" (http
s://web.archive.org/web/201001
01001853/http://w2.eff.org/Priva
cy/Crypto/Crypto_misc/DESCrack
er/HTML/19980716_eff_descrac
ker_pressrel.html) . EFF. Archived
from the original (https://w2.eff.o
rg/Privacy/Crypto/Crypto_misc/D
ESCracker/HTML/19980716_eff_
descracker_pressrel.html) on
January 1, 2010. Retrieved
March 27, 2008.
22. "64-bit key project status" (http
s://web.archive.org/web/201309
10051812/http://stats.distribute
d.net/projects.php?
project_id=5) . Distributed.net.
Archived from the original (http://
stats.distributed.net/projects.ph
p?project_id=5) on September
10, 2013. Retrieved March 27,
2008.
23. "72-bit key project status" (http://
stats.distributed.net/projects.ph
p?project_id=8) . Distributed.net.
Retrieved October 12, 2011.
24. Bruce Schneier. "Snakeoil:
Warning Sign #5: Ridiculous key
lengths" (http://www.schneier.co
m/crypto-gram-9902.html) .
Archived (https://web.archive.or
g/web/20080418225248/http://
www.schneier.com/crypto-gram-9
902.html) from the original on
April 18, 2008. Retrieved
March 27, 2008.
25. "Quantum Computing and
Encryption Breaking" (https://stac
koverflow.com/questions/27688
07/quantum-computing-and-encr
yption-breaking) . Stack Overflow.
2011-05-27. Archived (https://we
b.archive.org/web/20130521043
721/http://stackoverflow.com/qu
estions/2768807/quantum-comp
uting-and-encryption-breaking)
from the original on 2013-05-21.
Retrieved 2013-03-17.
26. Microsoft Corporation, Strong
passwords: How to create and
use them (http://www.microsoft.c
om/protect/yourself/password/cr
eate.mspx) Archived (https://we
b.archive.org/web/20080101132
156/http://www.microsoft.com/pr
otect/yourself/password/create.
mspx) 2008-01-01 at the
Wayback Machine
27. Bruce Schneier, Choosing Secure
Passwords (http://www.schneier.
com/blog/archives/2007/01/cho
osing_secure.html) Archived (htt
ps://web.archive.org/web/20080
223002450/http://www.schneier.
com/blog/archives/2007/01/cho
osing_secure.html) 2008-02-23
at the Wayback Machine
28. Google, Inc., How safe is your
password? (https://www.google.c
om/accounts/PasswordHelp)
Archived (https://web.archive.or
g/web/20080222225549/https://
www.google.com/accounts/Pass
wordHelp) 2008-02-22 at the
Wayback Machine
29. University of Maryland, Choosing
a Good Password (http://www.cs.
umd.edu/faq/Passwords.shtml)
Archived (https://web.archive.or
g/web/20140614022254/http://
www.cs.umd.edu/faq/Password
s.shtml) 2014-06-14 at the
Wayback Machine
30. Bidwell, Teri (2002). Hack
Proofing Your Identity in the
Information Age (https://archive.o
rg/details/hackproofingyour000
0bidw) . Syngress Publishing.
ISBN 978-1-931836-51-7.
31. "NIST PASSWORD GUIDELINES
IN 2020" (https://stealthbits.com/
blog/nist-password-guidelines/#:
~:text=NIST%20now%20require
s%20that%20all,characters%20a
s%20a%20maximum%20length.)
. Stealthbits. 18 August 2020.
Retrieved 17 May 2021.
32. "Password Policy - Updating your
approach" (https://www.ncsc.gov.
uk/collection/passwords/updatin
g-your-approach) . UK National
Cyber Security Centre. Retrieved
17 May 2021.
33. "Choosing and Protecting
Passwords" (https://www.cisa.go
v/news-events/news/choosing-an
d-protecting-passwords) . US
Cybersecurity & Infrastructure
Security Agency (CISA). 2019-11-
18. Retrieved 2023-10-10.
34. "Digital Identity Guidelines" (http
s://pages.nist.gov/800-63-3/sp80
0-63b.html#a3-complexity) . USA
National Institute for Standards
and Technology. Retrieved
17 May 2021.
35. "Password administration for
system owners" (https://www.ncs
c.gov.uk/collection/passwords/u
pdating-your-approach) . UK
National Cyber Security Centre.
Retrieved 17 May 2021.
36. "Password Rules - Founder of
Password Complexity Says
SORRY!" (https://www.tesla.tours/
campaigns/password-rules#h.8jx
qtu8i7po2) . Retrieved 17 May
2021.
37. "CyLab Usable Privacy and
Security Laboratory (CUPS)" (htt
p://cups.cs.cmu.edu/passwords.
html) . Carnegie Mellon University
(USA). Retrieved 17 May 2021.
38. Bruce, Schneier. "Changes in
Password Best Practices" (http
s://www.schneier.com/blog/archi
ves/2017/10/changes_in_pass.h
tml) . Schneier on Security.
Retrieved 17 May 2021.
39. "Write Down Your Password -
Schneier on Security" (http://ww
w.schneier.com/blog/archives/20
05/06/write_down_your.html) .
www.schneier.com. Archived (htt
ps://web.archive.org/web/20080
413032636/http://www.schneier.
com/blog/archives/2005/06/writ
e_down_your.html) from the
original on 2008-04-13.
40. "What does the NCSC think of
password managers?" (https://w
ww.ncsc.gov.uk/blog-post/what-d
oes-ncsc-think-password-manag
ers) . www.ncsc.gov.uk. Archived
(https://web.archive.org/web/201
90305053922/https://www.ncsc.
gov.uk/blog-post/what-does-ncsc
-think-password-managers) from
the original on 2019-03-05.
41. e.g. for a keyboard with only 17
nonalphanumeric characters, see
one for a BlackBerry phone in an
enlarged image (http://www.hard
waresecrets.com/fullimage.php?i
mage=18705) Archived (https://
web.archive.org/web/201104061
21058/http://www.hardwaresecre
ts.com/fullimage.php?image=18
705) 2011-04-06 at the Wayback
Machine in support of Sandy
Berger, BlackBerry Tour 9630
(Verizon) Cell Phone Review, in
Hardware Secrets (August 31,
2009) (http://www.hardwaresecre
ts.com/article/795/2) Archived
(https://web.archive.org/web/201
10406121111/http://www.hardw
aresecrets.com/article/795/2)
April 6, 2011, at the Wayback
Machine, both as accessed
January 19, 2010. That some
websites don’t allow
nonalphanumerics is indicated by
Kanhef, Idiots, For Different
Reasons (June 30, 2009) (topic
post) (http://forums.theregister.c
o.uk/post/527230) Archived (htt
ps://web.archive.org/web/20110
406121058/http://forums.theregi
ster.co.uk/post/527230) April 6,
 2011, at the Wayback Machine,
as accessed January 20, 2010.
42. "ComodoHacker responsible for
DigiNotar Attack – Hacking
News" (http://thehackernews.co
m/2011/09/comodohacker-respo
nsible-for-diginotar.html) .
Thehackernews.com. 2011-09-
06. Archived (https://web.archive.
org/web/20130517204022/htt
p://thehackernews.com/2011/0
9/comodohacker-responsible-for-
diginotar.html) from the original
on 2013-05-17. Retrieved
2013-03-17.
43. Dave Basner (8 March 2019).
"Here's Why 'ji32k7au4a83' Is A
Surprisingly Common Password"
(https://www.iheart.com/content/
2019-03-08-heres-why-ji32k7au4
a83-is-a-surprisingly-common-pa
ssword/) . Retrieved 25 March
2019.
44. Bidwell, p. 87
45. William, Cheswick (2012-12-31).
"HTML version - Rethinking
Passwords" (https://queue.acm.o
rg/detail.cfm?id=2422416) .
Association for Computing
Machinery (ACM). Archived (http
s://archive.today/201911031726
48/https://queue.acm.org/detail.c
fm?id=2422416) from the
original on 2019-11-03. Retrieved
2019-11-03.
46. William, Cheswick (2012-12-31).
"ACM Digital Library - Rethinking
Passwords" (https://doi.org/10.1
145%2F2405116.2422416) .
Queue. 10 (12): 50–56.
doi:10.1145/2405116.2422416
(https://doi.org/10.1145%2F2405
116.2422416) .
47. "The State of Password Security
2023 Report | Bitwarden
Resources" (https://bitwarden.co
m/resources/the-state-of-passwo
rd-security/) . Bitwarden.
Retrieved 2023-09-24.
48. "Practical Recommendations for
Stronger, More Usable Passwords
Combining Minimum-strength,
Minimum-length, and Blocklist
Requirements" (http://www.andre
w.cmu.edu/user/nicolasc/publica
tions/Tan-CCS20.pdf) (PDF).
Carnegie Mellon University.
Retrieved 17 May 2021.
49. "Bill Burr, Founder of Password
complexity rules says SORRY!" (ht
tps://www.tesla.tours/campaign
s/password-rules#h.8jxqtu8i7po
2) . Retrieved 17 May 2021.
50. "Passwords in online services" (ht
tps://ico.org.uk/for-organisation
s/guide-to-data-protection/guide-t
o-the-general-data-protection-reg
ulation-gdpr/security/passwords-i
n-online-services/#whatrequirem
entsshould) . UK Information
Commissioner's Office (ICO).
Retrieved 17 May 2021.
51. "Digital Identity Guidelines" (http
s://pages.nist.gov/800-63-3/sp80
0-63b.html#a3-complexity) . USA
National Institute of Standards
and Technology. Retrieved
17 May 2021.
52. "Password guidance" (https://ass
ets.publishing.service.gov.uk/gov
ernment/uploads/system/upload
s/attachment_data/file/458857/P
assword_guidance_-_simplifying_
your_approach.pdf) (PDF). Cyber
Security, UK Government
Communications Headquarters.
Retrieved 17 May 2021.
53. "Create a Strong Password" (http
s://support.google.com/account
s/answer/32040?hl=en#:~:text=
Meet%20password%20requireme
nts,accented%20characters%20ar
en't%20supported.) . Google Inc.
Retrieved 17 May 2021.
54. "Login and Password Help" (http
s://www.facebook.com/help/157
3156092981768/) . FaceBook
Inc. Retrieved 17 May 2021.
55. "Security baseline (FINAL) for
Windows 10 v1903 and Windows
Server v1903" (https://docs.micro
soft.com/en-au/archive/blogs/se
cguide/security-baseline-final-for-
windows-10-v1903-and-windows-
server-v1903) . Microsoft. 23
May 2019. Retrieved 17 May
2021.
56. "In Defense of Password
Expiration" (https://web.archive.or
g/web/20081012063918/http://l
opsa.org/node/295) . League of
Professional Systems
Administrators. Archived from the
original (http://lopsa.org/node/2
95) on October 12, 2008.
Retrieved April 14, 2008.
57. "The problems with forcing
regular password expiry" (https://
web.archive.org/web/201608172
23701/https://www.cesg.gov.uk/
articles/problems-forcing-regular-
password-expiry) . IA Matters.
CESG: the Information Security
Arm of GCHQ. 15 April 2016.
Archived from the original (http
s://www.cesg.gov.uk/articles/pro
blems-forcing-regular-password-
expiry) on 17 August 2016.
Retrieved 5 Aug 2016.
58. Eugene Spafford. "Security Myths
and Passwords" (http://www.ceria
s.purdue.edu/weblogs/spaf/gene
ral/post-30/) . The Center for
Education and Research in
Information Assurance and
Security. Archived (https://web.ar
chive.org/web/2008041112300
0/http://www.cerias.purdue.edu/
weblogs/spaf/general/post-30/)
from the original on April 11,
2008. Retrieved April 14, 2008.
59. Johannes Kiesel; Benno Stein;
Stefan Lucks (2017). "A Large-
scale Analysis of the Mnemonic
Password Advice" (https://web.ar
chive.org/web/2017033017463
7/https://www.internetsociety.or
g/sites/default/files/ndss2017_0
3A-4_Kiesel_paper.pdf) (PDF).
Proceedings of the 24th Annual
Network and Distributed System
Security Symposium (NDSS 17).
Internet Society. Archived from
the original (https://www.internets
ociety.org/sites/default/files/nds
s2017_03A-4_Kiesel_paper.pdf)
 (PDF) on 2017-03-30. Retrieved
2017-03-30.
60. Mnemonic Devices (Indianapolis,
Ind.: Bepko Learning Ctr.,
University College) (http://uc.iupu
i.edu/uploadedFiles/Learning_Ce
nter_Site/Mnemonic%20Devices.
pdf) , as accessed January 19,
2010 Archived (https://web.archiv
e.org/web/20100610000727/htt
p://uc.iupui.edu/uploadedFiles/Le
arning_Center_Site/Mnemonic%2
0Devices.pdf) June 10, 2010, at
the Wayback Machine
61. Remembering Passwords
(ChangingMinds.org) (http://chan
gingminds.org/techniques/memo
ry/remembering_passwords.ht
m) Archived (http://archive.wikiw
ix.com/cache/20100121181700/
http://changingminds.org/techniq
ues/memory/remembering_pass
words.htm) 2010-01-21 at
Wikiwix, as accessed January 19,
2010
62. Cipresso, P; Gaggioli, A; Serino, S;
Cipresso, S; Riva, G (2012). "How
to Create Memorizable and
Strong Passwords" (https://www.
ncbi.nlm.nih.gov/pmc/articles/P
MC3846346) . J Med Internet
Res. 14 (1): e10.
doi:10.2196/jmir.1906 (https://do
i.org/10.2196%2Fjmir.1906) .
PMC 3846346 (https://www.ncbi.
nlm.nih.gov/pmc/articles/PMC38
46346) . PMID 22233980 (http
s://pubmed.ncbi.nlm.nih.gov/222
33980) .
63. Brumen, B; Heričko, M; Rozman, I;
Hölbl, M (2013). "Security
analysis and improvements to the
PsychoPass method" (https://ww
w.ncbi.nlm.nih.gov/pmc/articles/
PMC3742392) . J Med Internet
Res. 15 (8): e161.
doi:10.2196/jmir.2366 (https://do
i.org/10.2196%2Fjmir.2366) .
PMC 3742392 (https://www.ncbi.
nlm.nih.gov/pmc/articles/PMC37
42392) . PMID 23942458 (http
s://pubmed.ncbi.nlm.nih.gov/239
42458) .
64. "zxcvbn: realistic password
strength estimation" (https://blog
s.dropbox.com/tech/2012/04/zx
cvbn-realistic-password-strength-
estimation/) . Dropbox Tech Blog.
Archived (https://web.archive.or
g/web/20150405131234/https://
blogs.dropbox.com/tech/2012/0
4/zxcvbn-realistic-password-stren
gth-estimation/) from the
original on 2015-04-05.
 65. "The Emperor's New Password
Manager: Security Analysis of
Web-based Password Managers |
EECS at UC Berkeley" (https://ww
w2.eecs.berkeley.edu/Pubs/Tech
Rpts/2014/EECS-2014-
138.html) .
www2.eecs.berkeley.edu.
Retrieved 2023-10-01.
6 Types of Password At t acks & How t o St op Them | OneLogin. (n.d.). Ret rieved April
24, 2024, from ht t ps://www.google.com/

Franchi, E., Poggi, A., & Tomaiuolo, M. (2015). Informat ion and Password At t acks on
Social Net works: An Argument for Crypt ography. Journal of Informat ion Technology
Research, 8(1), 25–42. ht t ps://doi.org/10.4018/JITR.2015010103

External links

RFC 4086: Randomness

Requirements for Security (https://t
 ools.ietf.org/html/rfc4086)
Password Patterns:The next
generation dictionary attacks (http
s://web.archive.org/web/20160416
035311/http://www.architectingsec
urity.com/2010/09/11/password-p
atterns/)

Retrieved from
"https://en.wikipedia.org/w/index.php?
title=Password_strength&oldid=1264709712"

This page was last edited on 23 December

2024, at 03:48 (UTC). •
Content is available under CC BY-SA 4.0
unless otherwise noted.