Password Entropy and Password Quality

Wanli Ma, John Campbell, Dat Tran, Dale Kleeman

Research output: A Conference proceeding or a Chapter in BookConference contribution

31 Citations (Scopus)
3 Downloads (Pure)

Abstract

Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair \lambda = (D, L) , where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.
Original languageEnglish
Title of host publicationFourth International Conference on Network and System Security (NSS 2010)
Place of PublicationUSA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages583-587
Number of pages5
ISBN (Print)9780769541594
DOIs
Publication statusPublished - 2010
EventFourth International Conference on Network and System Security (NSS 2010), - Melbourne, Australia
Duration: 1 Sep 20103 Sep 2010

Conference

ConferenceFourth International Conference on Network and System Security (NSS 2010),
CountryAustralia
CityMelbourne
Period1/09/103/09/10

Fingerprint

Entropy
Glossaries

Cite this

Ma, W., Campbell, J., Tran, D., & Kleeman, D. (2010). Password Entropy and Password Quality. In Fourth International Conference on Network and System Security (NSS 2010) (pp. 583-587). USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/NSS.2010.18
Ma, Wanli ; Campbell, John ; Tran, Dat ; Kleeman, Dale. / Password Entropy and Password Quality. Fourth International Conference on Network and System Security (NSS 2010). USA : IEEE, Institute of Electrical and Electronics Engineers, 2010. pp. 583-587
@inproceedings{d168d47c8f1a4063a2f03859db3b3d02,
title = "Password Entropy and Password Quality",
abstract = "Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair \lambda = (D, L) , where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.",
author = "Wanli Ma and John Campbell and Dat Tran and Dale Kleeman",
year = "2010",
doi = "10.1109/NSS.2010.18",
language = "English",
isbn = "9780769541594",
pages = "583--587",
booktitle = "Fourth International Conference on Network and System Security (NSS 2010)",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States",

}

Ma, W, Campbell, J, Tran, D & Kleeman, D 2010, Password Entropy and Password Quality. in Fourth International Conference on Network and System Security (NSS 2010). IEEE, Institute of Electrical and Electronics Engineers, USA, pp. 583-587, Fourth International Conference on Network and System Security (NSS 2010), Melbourne, Australia, 1/09/10. https://doi.org/10.1109/NSS.2010.18

Password Entropy and Password Quality. / Ma, Wanli; Campbell, John; Tran, Dat; Kleeman, Dale.

Fourth International Conference on Network and System Security (NSS 2010). USA : IEEE, Institute of Electrical and Electronics Engineers, 2010. p. 583-587.

Research output: A Conference proceeding or a Chapter in BookConference contribution

TY - GEN

T1 - Password Entropy and Password Quality

AU - Ma, Wanli

AU - Campbell, John

AU - Tran, Dat

AU - Kleeman, Dale

PY - 2010

Y1 - 2010

N2 - Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair \lambda = (D, L) , where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.

AB - Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair \lambda = (D, L) , where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.

U2 - 10.1109/NSS.2010.18

DO - 10.1109/NSS.2010.18

M3 - Conference contribution

SN - 9780769541594

SP - 583

EP - 587

BT - Fourth International Conference on Network and System Security (NSS 2010)

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - USA

ER -

Ma W, Campbell J, Tran D, Kleeman D. Password Entropy and Password Quality. In Fourth International Conference on Network and System Security (NSS 2010). USA: IEEE, Institute of Electrical and Electronics Engineers. 2010. p. 583-587 https://doi.org/10.1109/NSS.2010.18