September 11 2022
Home | Blog | Prev | Next · |

If you simply want a good way to generate passwords, jump to "List of 7,776 Common Words". Otherwise, here's the table of contents:

- What Makes a Good Password?
- Entropy Sources
- Alphabets
- Alternative Password Generation Schemes
- How Many Passwords Should I Create?

Good passwords are hard for hackers to guess. They have three properties:

Passwords must be random; otherwise hackers could easily guess them. Don't use any personal information (your name, government ID, birthday, family members' names, pets' names, business's name, etc.) as part of your passwords because it's probably publicly available or easy to guess. Don't try to make up passwords in your head, either: People are terrible at creating randomness. Use physical processes (coins, dice, or playing cards) instead.

Even if passwords are random, they must be long, or else hackers might accidentally guess them.

**Entropy** is a measure of randomness. The more entropy a password has, the more difficult it is for hackers to guess it. Entropy is usually measured in **bits** — the same bits that computers use, each of which is 0 or 1. One bit of entropy contains the same amount of randomness as a single coin flip. *N* bits of entropy contain the same amount of randomness as *N* coin flips.

Technically speaking, entropy as discussed above is known as **information entropy** and describes systems people use to generate passwords, not passwords themselves. When people say that a particular password has "100 bits of entropy", they mean that the process the password's creator used generates 100 bits of entropy.

For example, tossing a coin 100 times to generate passwords containing 1's and 0's is a 100-bit password-generating system. The passwords this system creates technically don't contain any information entropy.

Although individual passwords don't contain information entropy per se, they do contain **algorithmic entropy**, also known as **kolmogorov complexity** and **descriptive complexity**. A password's algorithmic entropy is a measure of how long it would take someone to tell someone else the password. For example, someone can only communicate the password:

RqHxPtNah73zHJUy

to another person by saying each letter (including its case) and number: there are no recognizable words, codes, or other ways to shorten the password for communication. (In other words, this password is incompressible.)

Compare that to:

AAAAAAAAAAAAAAAA

which someone could communicate by saying "sixteen uppercase A's" — much easier! Its algorithmic complexity is much lower than the complicated, random-looking password.

The ways you create passwords should have high information entropy. The more bits of entropy they have, the harder hackers will probably have to work to guess your passwords. Passwords would ideally also have high algorithmic entropy.

Why should passwords have high algorithmic entropy? Most people, especially those who know nothing about computer security, tend to choose passwords that are easy to describe (low algorithmic entropy) and thus easy to remember, like "abcd12345" ("'a' through 'd', '1' through '5'"). Hackers exploit this tendency by trying passwords with low algorithmic entropy first.

Unfortunately, even password schemes with high information entropy, such as flipping a coin 256 times to generate strings of 256 1's and 0's, may create passwords with low algorithmic entropy, such as a string of 256 0's. This is extremely unlikely if you create random passwords, so this is rarely problematic in practice. The rest of this document focuses exclusively on information entropy.

How much information entropy do your passwords need? That depends on how important the information your passwords protect is. For data that must remain absolutely secret — bank accounts, government records, etc. — at least 128 bits is recommended. For less important accounts, fewer bits will do, though you should use at least 80 bits. Most security experts think 100 bits is effectively unguessable.

Quantum computers are poised to revolutionize computing. Mathematicians have devised several clever algorithms (Shor's algorithm and Grover's algorithm) that make sufficiently large quantum computers capable of breaking most of today's information security systems. Although large quantum computers haven't been built yet, they're just over the horizon.

To guard against quantum computers, double the number of bits of entropy in your passwords. For example, if you want a password that is effectively 100-bits-strong against quantum computers, make it 200 bits. You have to double the number of bits because hackers can use Grover's algorithm to greatly reduce the number of guesses they need to make. Specifically, if a hacker needs to guess at most *N* times to figure out your password, Grover's algorithm reduces the number of guesses to the square root of *N*, which halves the password's bits of entropy.

Thus the recommended number of bits depends on how sensitive the information they guard is and whether you want to consider quantum computers (QC):

Information Sensitivity | Examples | Bits (No QC) | Bits (QC) |
---|---|---|---|

Throwaway: I don't care if someone steals it. | Accounts lacking personal info or photos/recordings | 80 | 160 |

Sensitive: It wouldn't be the end of the world if someone steals it | Online news subscriptions, dating profiles, Twitter | 100 | 200 |

Critical: Theft would mean the end of my life/world | Financial accounts, government records, some social media — anything with info that someone could use to impersonate, attack, stalk, or rob you | 128 | 256 |

This document assumes you're using physical processes — coins, dice, cards, etc. — to generate passwords. You can use digital sources, such as /dev/random and websites like random.org, but only if you trust that their results are truly random *and* that no one else can see or bias their results. If you're paranoid about security, create passwords using physical processes you can control, not computers. The results will be truly random *and* you won't have to trust third parties.

Coins are ubiquitous. Flipping one generates a single bit of entropy. They're most useful when your alphabet's size is a power of two (2, 4, 8, 16, 32, 64, 128, 256, etc.).

When you flip a coin:

- Toss it high up as you flip it. Short flips reduce the coin's randomness.
- Make sure you flick it well so that it rotates quickly. Faster rotation improves randomness.
- Catch it in your hand. Letting it hit a surface and roll flat will bias the results slightly (make it less random).

Dice are cheap and easy to find, but they're not as common as coins. They come in a variety of sizes and shapes. 6-sided dice are common. Role-playing game (RPG) dice are also easy to find. A complete RPG dice set has a 4-sided die, an ordinary 6-sided die, an 8-sided die, two 10-sided dice (one marked with multiples of 10), a 12-sided die, and a 20-sided die.

When rolling dice:

- Don't just drop them an inch or two above a hard surface as most game players do. The results won't be very random. Instead, toss them a long distance across the surface so that they tumble and roll a lot.
- Rolling them onto a hard backdrop (similar to a craps table's rubber bumper) can improve randomness.

Poker and bridge cards (standard 52-card decks with French suits) are also a handy way to generate randomness. You can remove cards to match your alphabet's size.

When using cards:

- Riffle shuffle the deck at least seven times to randomize it. Don't use an overhand shuffle, which many card players use to speed up shuffling or protect decks. Overhand shuffling requires at least 10,000 shuffles to produce random results. Watch a mathematician explain randomness in card shuffling.
- You'll need to reshuffle the entire deck every time you draw a card. If you don't, subsequent draws will make some results more probable than others. Using multiple decks or splitting a deck into smaller ones (if your alphabet has 26 or fewer symbols) and shuffling and drawing from them separately can hasten random number generation.

Some password generation schemes don't require you to reshuffle the deck every time you draw a card ((2) above), but their passwords will have less entropy.

Passwords are sequences of random **symbols**. Therefore, you have to decide which set of symbols — which **alphabet** — you'll use. Each symbol contributes *log _{2} N* bits of entropy, where

Here are some alphabets and the number of bits of entropy each of their symbols contributes:

Alphabet | Symbols | Bits/Symbol |
---|---|---|

Decimal digits (0-9) | 10 | 3.3 |

Hexadecimal | 16 | 4.0 |

Lowercase English alphabet | 26 | 4.7 |

Lowercase English alphabet plus decimal digits | 36 | 5.1 |

Full English alphabet (both cases) | 52 | 5.7 |

Base64 alphabet | 64 | 6.0 |

List of 1,296 common words | 1,296 | 10.3 |

List of 7,776 common words | 7,776 | 12.9 |

Unless otherwise specified, tables in future sections list how many bits of entropy each symbol contributes if each symbol is chosen independently and randomly. Entropy decreases if some symbols aren't chosen independently or randomly.

There are 10 decimal digits (hence the name "decimal"):

0 1 2 3 4 5 6 7 8 9

Assuming you generate each digit independently and randomly:

Digits | Bits | Digits | Bits |
---|---|---|---|

4 | 13.29 | 44 | 146.16 |

8 | 26.58 | 48 | 159.45 |

12 | 39.86 | 52 | 172.74 |

16 | 53.15 | 56 | 186.03 |

20 | 66.44 | 60 | 199.32 |

24 | 79.73 | 64 | 212.60 |

28 | 93.01 | 68 | 225.89 |

32 | 106.30 | 72 | 239.18 |

36 | 119.59 | 76 | 252.47 |

^{*}40 | 132.88 | ^{†}80 | 265.75 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Ten-sided dice are the easiest way to generate random decimal digits. Throw multiple dice at the same time to generate them faster. Ten-sided dice are cheap and easy to find online and in board game stores.

Suppose you throw two 6-sided dice, one red and one black. Use this table to figure out which decimal digit each throw generates:

Red | |||||||
---|---|---|---|---|---|---|---|

1 | 2 | 3 | 4 | 5 | 6 | ||

Black | 1 | 1 | 2 | 3 | 4 | 5 | 6 |

2 | 7 | 8 | 9 | 0 | 1 | 2 | |

3 | 3 | 4 | 5 | 6 | 7 | 8 | |

4 | 9 | 0 | 1 | 2 | 3 | 4 | |

5 | 5 | 6 | 7 | 8 | 9 | 0 | |

6 | - | - | - | - | - | - |

If the black die shows a 6, throw the dice again.

Probability of generating a digit: 5/6

The slowest way to generate decimal digits is with a coin. Flip a coin five times. Use this to figure out which decimal digit the five flips generate ('H' is heads, 't' is tails):

Flips | Symbol | Flips | Symbol | Flips | Symbol |
---|---|---|---|---|---|

ttttt | 0 | tHtHt | 0 | HtHtt | 0 |

ttttH | 1 | tHtHH | 1 | HtHtH | 1 |

tttHt | 2 | tHHtt | 2 | HtHHt | 2 |

tttHH | 3 | tHHtH | 3 | HtHHH | 3 |

ttHtt | 4 | tHHHt | 4 | HHttt | 4 |

ttHtH | 5 | tHHHH | 5 | HHttH | 5 |

ttHHt | 6 | Htttt | 6 | HHtHt | 6 |

ttHHH | 7 | HtttH | 7 | HHtHH | 7 |

tHttt | 8 | HttHt | 8 | HHHtt | 8 |

tHttH | 9 | HttHH | 9 | HHHtH | 9 |

If the first four flips are heads, ignore them and flip five times again.

You're essentially creating a five-digit binary number (where tails represents 0 and heads represents 1), converting it to decimal, and keeping the units digit.

Probability of generating a digit: 15/16

You can also generate random digits with poker cards. Take a 52-card deck and remove the face cards and jokers, but keep the aces and 10's. There should be 40 cards left.

Shuffle the cards and draw them one at a time. Keep the first card of each suit you encounter and discard the rest. Stop once you keep one card of each suit. The ranks of the four cards you keep correspond to decimal digits:

Card | Digit |
---|---|

Ace | 1 |

2 | 2 |

3 | 3 |

4 | 4 |

5 | 5 |

6 | 6 |

7 | 7 |

8 | 8 |

9 | 9 |

10 | 0 |

Reshuffle the cards after generating digits. If you don't, subsequent draws will make some digits more probable than others, reducing the password's entropy.

Example: Suppose you shuffle and draw the following cards:

You'd keep the four cards with yellow borders (the ace of spades, 3 of clubs, 5 of diamonds, and 3 of hearts) and generate the digits 1, 3, 5, and 3. Then you'd reshuffle the entire deck and repeat until you get all the digits you need.

Hexadecimal is commonly used in computer programming. It combines the decimal digits with the first 6 letters of the English alphabet, providing 16 symbols:

0 1 2 3 4 5 6 7 8 9 a b c d e f

Assuming you generate each symbol independently and randomly:

Symbols | Bits | Symbols | Bits |
---|---|---|---|

4 | 16 | 36 | 144 |

8 | 32 | 40 | 160 |

12 | 48 | 44 | 176 |

16 | 64 | 48 | 192 |

20 | 80 | 52 | 208 |

24 | 96 | 56 | 224 |

28 | 112 | 60 | 240 |

^{*}32 | 128 | ^{†}64 | 256 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Flip a coin four times. Convert the four flips into a hexadecimal symbol with this table ('H' is heads, 't' is tails):

Flips | Symbol | Flips | Symbol |
---|---|---|---|

tttt | 0 | Httt | 8 |

tttH | 1 | HttH | 9 |

ttHt | 2 | HtHt | a |

ttHH | 3 | HtHH | b |

tHtt | 4 | HHtt | c |

tHtH | 5 | HHtH | d |

tHHt | 6 | HHHt | e |

tHHH | 7 | HHHH | f |

There are 26 letters in the English alphabet:

a b c d e f g h i j k l m n o p q r s t u v w x y z

Assuming you generate each letter independently and randomly:

Letters | Bits | Letters | Bits | Letters | Bits |
---|---|---|---|---|---|

5 | 23.50 | 22 | 103.41 | 39 | 183.32 |

6 | 28.20 | 23 | 108.11 | 40 | 188.02 |

7 | 32.90 | 24 | 112.81 | 41 | 192.72 |

8 | 37.60 | 25 | 117.51 | 42 | 197.42 |

9 | 42.30 | 26 | 122.21 | 43 | 202.12 |

10 | 47.00 | 27 | 126.91 | 44 | 206.82 |

11 | 51.70 | ^{*}28 | 131.61 | 45 | 211.52 |

12 | 56.41 | 29 | 136.31 | 46 | 216.22 |

13 | 61.11 | 30 | 141.01 | 47 | 220.92 |

14 | 65.81 | 31 | 145.71 | 48 | 225.62 |

15 | 70.51 | 32 | 150.41 | 49 | 230.32 |

16 | 75.21 | 33 | 155.11 | 50 | 235.02 |

17 | 79.91 | 34 | 159.81 | 51 | 239.72 |

18 | 84.61 | 35 | 164.52 | 52 | 244.42 |

19 | 89.31 | 36 | 169.22 | 53 | 249.12 |

20 | 94.01 | 37 | 173.92 | 54 | 253.82 |

21 | 98.71 | 38 | 178.62 | ^{†}55 | 258.52 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Suppose you throw two 6-sided dice, one red and one black. Use this table to figure out which English letter each throw generates:

Red | |||||||
---|---|---|---|---|---|---|---|

1 | 2 | 3 | 4 | 5 | 6 | ||

Black | 1 | a | b | c | d | e | f |

2 | g | h | i | j | k | l | |

3 | m | n | o | p | q | r | |

4 | s | t | u | v | w | x | |

5 | y | z | - | - | - | - | |

6 | - | - | - | - | - | - |

'-' means that you should roll the dice again.

Probability of generating a letter: 11/18

The slowest way to generate English letters is with a coin. Flip a coin five times. Use this to figure out which letter the five flips generate ('H' is heads, 't' is tails):

Flips | Symbol | Flips | Symbol | Flips | Symbol | Flips | Symbol |
---|---|---|---|---|---|---|---|

ttttt | a | tHttt | i | Htttt | q | HHttt | y |

ttttH | b | tHttH | j | HtttH | r | HHttH | z |

tttHt | c | tHtHt | k | HttHt | s | HHtHt | - |

tttHH | d | tHtHH | l | HttHH | t | HHtHH | - |

ttHtt | e | tHHtt | m | HtHtt | u | HHHtt | - |

ttHtH | f | tHHtH | n | HtHtH | v | HHHtH | - |

ttHHt | g | tHHHt | o | HtHHt | w | HHHHt | - |

ttHHH | h | tHHHH | p | HtHHH | x | HHHHH | - |

'-' means that you should ignore the result and flip five times again.

Probability of generating a letter: 13/16

You can also generate random letters with poker cards. Shuffle a deck and flip the top card. Ignore its suit. The card's color and rank correspond to a letter:

Black | Red | ||
---|---|---|---|

Ace | a | Ace | n |

2 | b | 2 | o |

3 | c | 3 | p |

4 | d | 4 | q |

5 | e | 5 | r |

6 | f | 6 | s |

7 | g | 7 | t |

8 | h | 8 | u |

9 | i | 9 | v |

10 | j | 10 | w |

Jack | k | Jack | x |

Queen | l | Queen | y |

King | m | King | z |

Reshuffle the cards after generating a letter. If you don't, subsequent draws will make some letters more probable than others, reducing the password's entropy.

Another technique is to divide the 52 cards into two decks, each containing a red suit and a black suit (so 26 cards per deck), and to shuffle and draw from each deck separately. This might be faster than using a single deck.

Combining lowercase English letters and decimal digits gives 36 symbols.

Assuming you generate each symbol independently and randomly:

Symbols | Bits | Symbols | Bits | Symbols | Bits |
---|---|---|---|---|---|

5 | 25.85 | 21 | 108.57 | 37 | 191.29 |

6 | 31.02 | 22 | 113.74 | 38 | 196.46 |

7 | 36.19 | 23 | 118.91 | 39 | 201.63 |

8 | 41.36 | 24 | 124.08 | 40 | 206.80 |

9 | 46.53 | ^{*}25 | 129.25 | 41 | 211.97 |

10 | 51.70 | 26 | 134.42 | 42 | 217.14 |

11 | 56.87 | 27 | 139.59 | 43 | 222.31 |

12 | 62.04 | 28 | 144.76 | 44 | 227.48 |

13 | 67.21 | 29 | 149.93 | 45 | 232.65 |

14 | 72.38 | 30 | 155.10 | 46 | 237.82 |

15 | 77.55 | 31 | 160.27 | 47 | 242.99 |

16 | 82.72 | 32 | 165.44 | 48 | 248.16 |

17 | 87.89 | 33 | 170.61 | 49 | 253.33 |

18 | 93.06 | 34 | 175.78 | ^{†}50 | 258.50 |

19 | 98.23 | 35 | 180.95 | 51 | 263.67 |

20 | 103.40 | 36 | 186.12 | 52 | 268.84 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Generating symbols with two 6-sided dice is easy. Suppose one is red and the other is black:

Red | |||||||
---|---|---|---|---|---|---|---|

1 | 2 | 3 | 4 | 5 | 6 | ||

Black | 1 | a | b | c | d | e | f |

2 | g | h | i | j | k | l | |

3 | m | n | o | p | q | r | |

4 | s | t | u | v | w | x | |

5 | y | z | 0 | 1 | 2 | 3 | |

6 | 4 | 5 | 6 | 7 | 8 | 9 |

Combining uppercase (majuscule) and lowercase (miniscule) English letters gives 52 symbols.

Assuming you generate each letter independently and randomly:

Letters | Bits | Letters | Bits | Letters | Bits |
---|---|---|---|---|---|

10 | 57.00 | 22 | 125.41 | 34 | 193.81 |

11 | 62.70 | ^{*}23 | 131.11 | 35 | 199.52 |

12 | 68.41 | 24 | 136.81 | 36 | 205.22 |

13 | 74.11 | 25 | 142.51 | 37 | 210.92 |

14 | 79.81 | 26 | 148.21 | 38 | 216.62 |

15 | 85.51 | 27 | 153.91 | 39 | 222.32 |

16 | 91.21 | 28 | 159.61 | 40 | 228.02 |

17 | 96.91 | 29 | 165.31 | 41 | 233.72 |

18 | 102.61 | 30 | 171.01 | 42 | 239.42 |

19 | 108.31 | 31 | 176.71 | 43 | 245.12 |

20 | 114.01 | 32 | 182.41 | 44 | 250.82 |

21 | 119.71 | 33 | 188.11 | ^{†}45 | 256.52 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

You can generate random English letters with poker cards. Shuffle a deck and flip the top card. Its suit and rank correspond to a letter:

Card | Symbol | Card | Symbol | Card | Symbol | Card | Symbol |
---|---|---|---|---|---|---|---|

A | a | A | A | A | n | A | N |

2 | b | 2 | B | 2 | o | 2 | O |

3 | c | 3 | C | 3 | p | 3 | P |

4 | d | 4 | D | 4 | q | 4 | Q |

5 | e | 5 | E | 5 | r | 5 | R |

6 | f | 6 | F | 6 | s | 6 | S |

7 | g | 7 | G | 7 | t | 7 | T |

8 | h | 8 | H | 8 | u | 8 | U |

9 | i | 9 | I | 9 | v | 9 | V |

10 | j | 10 | J | 10 | w | 10 | W |

J | k | J | K | J | x | J | X |

Q | l | Q | L | Q | y | Q | Y |

K | m | K | M | K | z | K | Z |

You can, of course, arrange the suits in any order you please in the above diagram.

If you reshuffle the entire deck after flipping a single card (generating one letter), each letter will supply 5.7 bits of entropy to your password. If you don't, subsequent draws will make some letters more probable than others, reducing the password's overall entropy. (See a similar scheme that trades entropy for fewer shuffles.)

Base64 is a 64-symbol alphabet:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /

Assuming you generate each symbol independently and randomly:

Symbols | Bits | Symbols | Bits | Symbols | Bits |
---|---|---|---|---|---|

5 | 30 | 19 | 114 | 33 | 198 |

6 | 36 | 20 | 120 | 34 | 204 |

7 | 42 | 21 | 126 | 35 | 210 |

8 | 48 | ^{*}22 | 132 | 36 | 216 |

9 | 54 | 23 | 138 | 37 | 222 |

10 | 60 | 24 | 144 | 38 | 228 |

11 | 66 | 25 | 150 | 39 | 234 |

12 | 72 | 26 | 156 | 40 | 240 |

13 | 78 | 27 | 162 | 41 | 246 |

14 | 84 | 28 | 168 | 42 | 252 |

15 | 90 | 29 | 174 | ^{†}43 | 258 |

16 | 96 | 30 | 180 | 44 | 264 |

17 | 102 | 31 | 186 | 45 | 270 |

18 | 108 | 32 | 192 | 46 | 276 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

The easiest to generate Base64 symbols is with two 8-sided dice. Suppose one is red and the other is black:

Red | |||||||||
---|---|---|---|---|---|---|---|---|---|

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ||

Black | 1 | A | B | C | D | E | F | G | H |

2 | I | J | K | L | M | N | O | P | |

3 | Q | R | S | T | U | V | W | X | |

4 | Y | Z | a | b | c | c | e | f | |

5 | g | h | i | j | k | l | m | n | |

6 | o | p | q | r | s | t | u | v | |

7 | w | x | y | z | 0 | 1 | 2 | 3 | |

8 | 4 | 5 | 6 | 7 | 8 | 9 | + | / |

The slowest way to generate Base64 symbols is with a coin. Flip a coin six times. Convert the first three flips and the last three flips into two numbers using this table ('H' is heads, 't' is tails):

ttt | 0 |

ttH | 1 |

tHt | 2 |

tHH | 3 |

Htt | 4 |

HtH | 5 |

HHt | 6 |

HHH | 7 |

Then convert those two numbers to Base64 as follows:

First Number (First 3 Flips) |
|||||||||
---|---|---|---|---|---|---|---|---|---|

0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | ||

Second Number (Last 3 Flips) |
0 | A | B | C | D | E | F | G | H |

1 | I | J | K | L | M | N | O | P | |

2 | Q | R | S | T | U | V | W | X | |

3 | Y | Z | a | b | c | c | e | f | |

4 | g | h | i | j | k | l | m | n | |

5 | o | p | q | r | s | t | u | v | |

6 | w | x | y | z | 0 | 1 | 2 | 3 | |

7 | 4 | 5 | 6 | 7 | 8 | 9 | + | / |

This "alphabet" is a set of 1,296 common English words (or words of any human language). Each word is counted as a symbol. Any list of words will do as long as there are no duplicates.

Passwords constructed from common words are easier to remember than long strings of random letters and numbers. They're also longer and thus slightly harder for hackers to guess.

Diceware is a password generation scheme that uses lists of 1,296 common words. The Electronic Frontier Foundation (EFF) published two such word lists. (copy of the EFF's first short list (13KiB))

Assuming you generate each word independently and randomly:

Words | Bits | Words | Bits |
---|---|---|---|

4 | 41.36 | 15 | 155.10 |

5 | 51.70 | 16 | 165.44 |

6 | 62.04 | 17 | 175.78 |

7 | 72.38 | 18 | 186.12 |

8 | 82.72 | 19 | 196.46 |

9 | 93.06 | 20 | 206.80 |

10 | 103.40 | 21 | 217.14 |

11 | 113.74 | 22 | 227.48 |

12 | 124.08 | 23 | 237.82 |

^{*}13 | 134.42 | 24 | 248.16 |

14 | 144.76 | ^{†}25 | 258.50 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Number each word in base six. The first word is 1111, the second is 1112, the sixth is 1116, the seventh is 1121, the eigth is 1122, and the last (1,296th) word is 6666.

To randomly pick a word, roll four 6-sided dice. Pick the word with the resulting number. For example, if your dice show "2545", pick word 2545.

This "alphabet" is a set of 7,776 common English words (or words of any human language). Each word is counted as a symbol. Any list of words will do as long as there are no duplicates.

Passwords constructed from common words are easier to remember than long strings of random letters and numbers. They're also longer and thus slightly harder for hackers to guess.

Diceware is a password generation scheme that uses lists of 7,776 common words. Both the author of Diceware (Arnold G. Reinhold) and the Electronic Frontier Foundation (EFF) published word lists. (copy of the EFF's long list (106KiB))

Assuming you generate each word independently and randomly:

Words | Bits | Words | Bits |
---|---|---|---|

3 | 38.77 | 12 | 155.10 |

4 | 51.70 | 13 | 168.02 |

5 | 64.62 | 14 | 180.95 |

6 | 77.55 | 15 | 193.87 |

7 | 90.47 | 16 | 206.80 |

8 | 103.40 | 17 | 219.72 |

9 | 116.32 | 18 | 232.65 |

^{*}10 | 129.25 | 19 | 245.57 |

11 | 142.17 | ^{†}20 | 258.50 |

^{*}: Highly secure against classical computers^{†}: Highly secure against quantum computers

Number each word in base six. The first word is 11111, the second is 11112, the sixth is 11116, the seventh is 11121, the is eigth 11122, and the last (7,776th) word is 66666.

To randomly pick a word, roll five 6-sided dice. Pick the word with the resulting number. For example, if your dice show "32545", pick word 32545.

These ways to generate passwords have less entropy than the systems outlined in earlier sections because the resulting passwords' symbols aren't generated independently.

Thoroughly shuffle a deck of 52 cards (excluding jokers). Draw cards one at a time. Each card's suit and rank correspond to an English letter, which can be lowercase (miniscule) or uppercase (majuscule):

Card | Symbol | Card | Symbol | Card | Symbol | Card | Symbol |
---|---|---|---|---|---|---|---|

A | a | A | A | A | n | A | N |

2 | b | 2 | B | 2 | o | 2 | O |

3 | c | 3 | C | 3 | p | 3 | P |

4 | d | 4 | D | 4 | q | 4 | Q |

5 | e | 5 | E | 5 | r | 5 | R |

6 | f | 6 | F | 6 | s | 6 | S |

7 | g | 7 | G | 7 | t | 7 | T |

8 | h | 8 | H | 8 | u | 8 | U |

9 | i | 9 | I | 9 | v | 9 | V |

10 | j | 10 | J | 10 | w | 10 | W |

J | k | J | K | J | x | J | X |

Q | l | Q | L | Q | y | Q | Y |

K | m | K | M | K | z | K | Z |

The password's randomness (entropy) will be less than if you were to shuffle the entire deck every time you draw a card, but you'll only have to randomize the deck once.

Here's how much entropy your password will have based on this scheme:

Cards Drawn (Password Length) | Entropy (Bits) | Cards Drawn (Password Length) | Entropy (Bits) |
---|---|---|---|

1 | 5.7 | 27 | 141.9 |

2 | 11.4 | 28 | 146.5 |

3 | 17.0 | 29 | 151.1 |

4 | 22.6 | 30 | 155.7 |

5 | 28.2 | 31 | 160.1 |

6 | 33.8 | 32 | 164.5 |

7 | 39.3 | 33 | 168.8 |

8 | 44.8 | 34 | 173.1 |

9 | 50.2 | 35 | 177.2 |

10 | 55.7 | 36 | 181.3 |

11 | 61.1 | 37 | 185.3 |

12 | 66.4 | 38 | 189.2 |

13 | 71.7 | 39 | 193.0 |

14 | 77.0 | 40 | 196.7 |

15 | 82.3 | ^{†}41 | 200.3 |

16 | 87.5 | 42 | 203.8 |

17 | 92.7 | 43 | 207.1 |

18 | 97.8 | 44 | 210.3 |

19 | 102.9 | 45 | 213.3 |

20 | 107.9 | 46 | 216.1 |

21 | 112.9 | 47 | 218.7 |

22 | 117.9 | 48 | 221.0 |

23 | 122.8 | 49 | 223.0 |

24 | 127.6 | 50 | 224.6 |

^{*}25 | 132.4 | ^{‡}51 | 225.6 |

26 | 137.2 | 52 | 225.6 |

^{*}: Highly secure against classical computers^{†}: Secure against quantum computers^{‡}: Highly secure against quantum computers

If you reshuffle after drawing some cards, you'll increase the entropy, reducing the number of letters you'll need to generate a password with specific amount of entropy. You'll achieve maximum entropy — 5.7 bits per letter — if you reshuffle every time you draw a card; this is the English alphabet scheme described further above.

Ideally, each of your accounts would have a different password. That way a hacker who breaks into one account or service you use can only access that account with the stolen password.

But most of us have at least a dozen accounts; some have several dozen. That's a lot of passwords to remember!

Some people compromise by distinguishing between critical, sensitive, and throwaway accounts and services. They give each critical account or service its own highly-secure password, each moderately sensitive account its own moderately-secure password, and all throwaway accounts the same moderately-secure password. What "sensitive", "moderately sensitive", and "throwaway" mean are up to the user. This is the solution I use.

Other people create a few highly-secure password prefixes. For each account, they combine one of the prefixes with a memorable (not necessarily random) suffix to get a password. This makes it much easier to remember one's passwords, but if an attacker can guess that you're using this scheme, he'll have a much easier time breaking into your other accounts after learning one of your passwords.

Fortunately, password generation doesn't rely on complicated mathematics. You can calculate a system's entropy using grade school and middle school math.

The amount of entropy each symbol contributes to a password (if chosen randomly and independently) is

where "log_{2}" is logarithm base 2 and *N* is the size of the password's alphabet.

Why is this so? Imagine how you could randomly pick one symbol out of an alphabet of *N* symbols. One very general way to do so is to assign each symbol a number from 0 to *N*-1. For example, if your alphabet is the lowercase English letters (*N*=26), you could do this:

Letter | Number | Letter | Number |
---|---|---|---|

a | 0 | n | 13 |

b | 1 | o | 14 |

c | 2 | p | 15 |

d | 3 | q | 16 |

e | 4 | r | 17 |

f | 5 | s | 18 |

g | 6 | t | 19 |

h | 7 | u | 20 |

i | 8 | v | 21 |

j | 9 | w | 22 |

k | 10 | x | 23 |

l | 11 | y | 24 |

m | 12 | z | 25 |

Then you could flip a coin multiple times, convert the flips into a binary number (1's and 0's), convert the binary number to a base ten number (our everyday counting system), and pick the letter associated with that number. For example, if you were to use the table above and flip tails, heads, heads, tails, and tails, you'd convert the five flips into the binary number "01100", which is "12" in base ten, which corresponds to the digit "m" in the table. If the generated number isn't assigned to any symbols in your alphabet, keep generating numbers until you pick a symbol. It's easy to see that this scheme makes choosing each symbol equally likely.

Assuming you only have to generate one binary number to pick a symbol, how many times would you have to flip a coin to pick a symbol? (In other words, how many digits would the binary number have to have?) The answer is the symbol's contribution to the password's entropy. Remember, a coin flip has 1 bit of entropy. If it takes 5 coin flips to randomly pick a symbol out of an alphabet, the symbol's entropy contribution is 5 bits. Therefore, given that

which states that it takes *x* coin flips to randomly pick one of *N* symbols,

*x* is each symbol's entropy.

Note that *x* will be fractional unless *N* is a power of 2. There are 26 lowercase English letters, so each letter contributes

bits if chosen independently and randomly.

Another way to measure a password generation system's entropy is to look at how many different passwords it can generate. Assuming the system can generate *M* different passwords and each one is equally likely (that is, each password is chosen independently and randomly), ask, "How many coin flips would it take to randomly select one of the *M* passwords?" The answer is the system's information entropy in bits. If there are *M* possibilities, the password generator's entropy is

Note that if you choose one of *N* symbols independently and randomly *m* times (so that *M* = *N ^{m}*; see "The Rule of Product" below), the resulting entropy will be

which is the same as saying that the system's entropy is *m* times the entropy contribution of each randomly-selected symbol.

The mathematical foundations of password systems and password strength come from **combinatorics**, the study of arrangements. It rests on a few simple **counting principles**. One that's particularly important for passwords is the **rule of product**.

Suppose you can choose one of A things followed by one of B things. How many combinations of one A thing and one B thing are there?

For example, if A is the letters {X, Y} and B is the numbers {1, 2, 3, 4}, then there are two choices for A and four for B. The AB combinations are:

X1 X2 X3 X4 Y1 Y2 Y3 Y4

There are eight combinations. Notice that this is the size of A times the size of B: 2 x 4.

This observation generalizes to all sets A and B:

The total number of combinations of one A thing followed by one B thing is |A| x |B|.

Here "|A|" means "the number of things in A" or "the size of A".

What if you choose one from each of three sets A, B, and C? The total number of combinations is |A| x |B| x |C|. Why does this work? If we define a fourth set D as the set of combinations of one B thing followed by one C thing, then D has |B| x |C| things. Now, how many combinations of one A thing and one D thing are there? The answer is:

|A| x |D| = |A| x (|B| x |C|) = |A| x |B| x |C|

To see how this applies to password generation, suppose you make the lowercase English letters your password alphabet. Let's call this alphabet A. The alphabet has 26 letters, so |A| = 26. If you were to generate a single-letter password, there would only be 26 possible passwords. But if you randomly choose two letters, there would be

|A| x |A| = 26 x 26 = 26^{2}= 676 possible passwords

The possibilities grow exponentially as you add more letters:

Number of Letters | Number of Possible Passwords |
---|---|

1 | 26^{1} = 26 |

2 | 26 x 26 = 26^{2} = 676 |

3 | 26 x 26 x 26 = 26^{3} = 17,576 |

... | ... |

n | |A|^{n} |

So if you randomly and independently choose *n* letters, there would be |A|^{n} possible passwords.

Suppose you have a set of things. We'll call the set A. Each thing in A is unique. How many arrangements of those A things are there? In other words, if you had to arrange everything in A into a line, how many possible lines would there be?

Each of these arrangements is called a **permutation**. Counting permutations relies on the rule of product.

Let's use poker cards as an example. There are 52 cards in a standard poker deck (excluding jokers). If we line all the cards up (to form a permutation), we'd have to start by deciding which card comes first. There are 52 choices. Once we choose the first card, we'll have 51 choices for the second. And once we choose the second card, we'll have 50 choices for the third. This continues until we have only one card left, which becomes the final card.

Each position in this line acts like a set of choices. The first position has 52 card choices; the second, 51; the third, 50; and so on. What's the total number of choice combinations? Using the rule of product, there are

|1st| x |2nd| x |3rd| x ... x |51st| x |52nd| = 52 x 51 x 50 x ... x 2 x 1 permutations

Mathematicians write "52!", read "52 factorial", to signify these multiplications. So the number of permutations of a standard 52-card poker deck is 52!, which is

80,658,175,170,943,878,571,660,636,856,403,766,975,289,505,440,883,277,824,000,000,000,000

There are more permutations of poker cards than there are atoms in the observable Universe! This number is so huge that it's unlikely that any two games of poker (or any other game using poker cards) were ever played with exactly the same deck of well-shuffled cards.

We generalize this by saying:

The number of permutations of a set of X distinct things is "|X|!", or

|X| x (|X|-1) x (|X|-2) x ... x 1

Mathematicians say that 0! = 1. This makes some calculations more convenient.

What if you need to form a permutation with fewer than X things? Let's use the poker cards again. If you need to form a permutation of five cards, there would be

|1st| x |2nd| x |3rd| x |4th| x |5th| = 52 x 51 x 50 x 49 x 48 permutations

This is like forming a permutation with all 52 cards but ignoring the last 47. How can we express this mathematically? Well, looking back on grade school and middle school, you might remember that dividing a number by itself effectively "cancels" it. For example:

Notice that the sixes "cancel" each other, leaving the 2.

For our permutation of five poker cards, we want to form a permutation of all 52 cards and "cancel" the permutation of the last 47 cards. There are 47! permutations of 47 cards, so the number of permutations of five cards is

We generalize this result by saying:

The number of permutations of

nofxdistinct things isis a convenient shorthand for this number.

Let's apply this to password generation. Recall the alternative poker card password system in which you assign each of 52 poker cards a different English letter (uppercase or lowercase), shuffle the deck, draw *n* cards, and use the resulting arrangement of *n* letters as your password. This is a permutation of *n* of 52 cards, so there are possible passwords. The system's entropy is thus

(Recall the "Information Entropy" section for this formula.) Clearly, the more cards you choose after shuffling, the more entropy the system will have.