Password Entropy and Password Quality
- 1 September 2010
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2010 Fourth International Conference on Network and System Security
- p. 583-587
- https://doi.org/10.1109/nss.2010.18
Abstract
Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair λ = (D, L), where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.Keywords
This publication has 8 references indexed in Scilit:
- The Good and Not So Good of Enforcing Password Composition RulesInformation Systems Security, 2007
- Electronic authentication guidelinePublished by National Institute of Standards and Technology (NIST) ,2006
- Fuzzy Methods for Voice-Based Person AuthenticationIEEJ Transactions on Electronics, Information and Systems, 2004
- Guessing and entropyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- A Novel Approach to Proactive Password CheckingLecture Notes in Computer Science, 2002
- A note on proactive password checkingPublished by Association for Computing Machinery (ACM) ,2001
- String Searching AlgorithmsAlgorithms, 1994
- A Mathematical Theory of CommunicationBell System Technical Journal, 1948