It is known that we as humans struggle with remembering and managing multiple complicated passwords, that are required to access different applications on a daily basis. To comply with the latest cybersecurity requirements for passwords should be at least 8 characters, mix of both upper and lower case letters, at least one number, at least one special character’s (!@#$% etc.).
Furthermore, it is preferable to change our password every 90 days, and of course, don’t write it down, remember it instead. In theory, it sounds obvious to follow, in practice, is a complicated task to deal with.
Let’s look at an example that satisfy the above guidelines: Ak8j_u^t@V7. Obviously, it is difficult to remember that password, moreover, it would not be just one password to memorize, we need at least a few, taking into account the multiple login credentials an average person uses today.
Looks awfully complicated and certainly difficult to memorize, the problem is that this so complicated for us password is not challenging at all for a computer with today’s GPU calculating power to crack, with approximate 1000 guesses/sec rate it would need about 4 to 5 days.
How adequately protected was our account with such complicated password?
In comparison, if instead is used a simple to remember for us phrase or word combination, for an example: Correct-house-battery-staple-1
Hence, that example satisfies all requirements for creating a secure password to have upper, lower case letters, special character and number and in the same time noticeably effortless to remember the phrase, today’s computer technology will require at least 550 years to crack that password!
So how is that plausible and why we make our lives too difficult by creating passwords that are implausible to memorize yet extremely simple for the computers to crack, instead to create passwords that are straightforward for us to memorize and truly time challenging for the computers to crack?
It is rather a simple process of mathematics that stay behind that are known as password entropy. The randomness of the components of the password is defining it difficult to crack, however different characters, numbers and others have different weight in that, as shown in the following table.
In summary, the simple formula calculating password entropy is E=log2(X) where E is password entropy; X is R on a power of L, where R is a pool of characters we employ; L a number of characters in the password. X the number of plausible passwords, and log2(X) the number of bits of entropy.
To conclude, by just looking at the above Table 1, it is obvious that if we just apply the presently required alphanumerical upper, lower case and special characters for creating a password, that would not compose our password as secure as when comparing it with a Diceware word list or English dictionary words in combination with special characters, upper, lower case and numbers, and if add an additional language for mixing the words in the phrase that would even get our password further secure.