Entropy is a hard concept

Posted

Glenn Fleishman just published a really great article on Fast Company about the difficulty of creating truly strong passwords. This is something we struggle to explain in layman's terms on our site so I'm glad we can link to something like this now. A strong password is surprisingly hard for humans to create without tools. Even worse, most passwords that people (including the tech-savvy) believe are strong are actually weak. For example, Glenn outlines in the article how seemingly secure, long passwords can be cracked easily using modern techniques. The term used to describe the strength of password is called entropy - what's that?

entropy |ˈentrəpē|

  1. Physics a thermodynamic quantity representing the unavailability of a system's thermal energy for conversion into mechanical work, often interpreted as the degree of disorder or randomness in the system.
  2. lack of order or predictability; gradual decline into disorder: a marketplace where entropy reigns supreme.
  3. (in information theory) a logarithmic measure of the rate of transfer of information in a particular message or language.

The second definition, "lack of predictability", is the key one here - we want passwords that are hard for others to guess. Most password rules evaluate entropy by counting the length of a password and the number of kinds of characters without taking into account the fact that Glenn highlights in the article: humans use a lot of mnemonic patterns in their passwords, which have much lower entropy than their length would imply. This is why Meldium uses a realistic password strength meter, which was created and open-sourced by Dropbox. The entropy estimator we use knows that "Password11!!" isn't any better than "password" - both can be guessed in microseconds by an attacker. I look forward to Glenn's article teaching more people that the only way to have a truly secure & unique passwords is to use a password generator!