Calculate Entropy?
H, I've been lurking for quite some time now and am totally new to password management systems and the like. I wanted to ask how does one calculate entropy? Is there a formula you could share for both word based and randomly generated character passwords? How much entropy is enough entropy for my master password or any password for that matter. I just used the randomly generated word based suggestions (4 words) for mine as all my passwords before entering the realm of password systems were extremely basic, like my birthday for example.
Also to follow up, 1Password has the strength meter that I'm sure many of us are familiar with, where exactly on that meter is strong enough. Bright green? On the other hand, what is too little? Where do all the colors rank?
Really love 1Password by the way, very happy with it and can recommend it to anyone, I tried a bunch of different ones but I feel that this is the best option overall for anyone and the amazing customer support doesn't go unnoticed.
Cheers,
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @anglenora2022,
That's a fantastic question. I thought I was going to write a short answer but it turned out longer than I expected. I hope you don't mind.
Entropy calculation is actually relatively simple. To calculate it you need to know how to determine how many permutations there are for the given password recipe. The amount of entropy defines the amount of randomness that was used in the generation of a password, and since that depends on the password recipe, you need to know the recipe. If I say that my Master Password is 4 words, then that's not enough information to determine the entropy. If I say that my Master Password is a 4-word wordlist password created by 1Password then we can use 1Password's recipe there. The recipe in the case of a wordlist password is very simple: randomly choose 4 words out of the list of ~18000 words. That means there are 18000 * 18000 * 18000 * 18000 (assuming repeats are allowed) permutations. Once you know the number of permutations you can convert that to bits of entropy by doing a log base 2. In the case of a 4 word password generated by our wordlist that comes out to 56 bits of entropy.
If you're using 1Password for Mac, you can actually see this by enabling "Copy Item JSON" in Preferences > Advanced, then choosing an item that contains your randomly generated password, and using the Item > Copy JSON. Paste that into an editor and you'll get something that looks like:
{"sectionName":"P","details":{"password":"reckon ishmael ascot pitfall","sections":[{"title":"Related Items","name":"linked items"}]},"uuid":"nkkkpxyezzaexcwh6enu7lhsem","updatedAt":1527535870,"createdAt":1527535870,"categoryUUID":"005","overview":{"pbe":56.64641721601138,"pgrng":true,"title":"pbe test","ainfo":"May 28, 2018, 2:31:10 PM","ps":75}}
Look for pbe:, and the number after it is the number of bits of entropy. With that you can tweak the generator parameters and come up with different passwords and see how it affects the pbe.
So now the all-too-important question... just how many bits of entropy is enough? That's something that will change over time. What we consider to be a strong password today will not be the same as what we consider strong in a few years because computers will have gotten that much faster. To determine this we have what we currently consider to be a "fantastic strength", i.e. a strength where any stronger doesn't actually bring more value. Right now that's defined as 75 bits. We calculate the strength (ps in the item JSON) as the percentage of the fantastic strength. In my example above that was a strength of 75.
The rules to determine which color or strength title to show is based on the calculated strength:
- [0, 26) : Terrible
- [26, 44) : Weak
- [44, 53) : Fair
- [53, 60) : Good
- [60, 73) : Very Good
- [73, 85) : Excellent
- [85, 100] : Fantastic
I still haven't answered how many bits of entropy is enough. 75 is fantastic, but we don't expect anyone to have a Master Password with 75 bits of entropy. For passwords you're generating for websites, you should try to get as close to fantastic as you can get away with since you won't need to remember them. For your Master Password, if you used our wordlist generator and used a 4 word password from it, you're doing excellent. In general humans are terrible at randomness and a "random" password that we invent from our heads is considered to be no better than about 40 bits, and in most cases is much lower than that. For a Master Password we'd recommend staying at or above that 40 bit mark.
I hope this helps.
Rick
0