# Why change a strong password? Brute force and entropy

What is a strong password? As technology has advanced over the past decades, the policy has changed several times as to what counts as such. Power for brute force is becoming more and more available, including in the clouds, so the requirements for password entropy are increasing – in 2022 it is recommended to use special characters, numbers, letters in different cases, with a total length minimum 11 characters.

There has been a recent discussion in the information security industry about changing passwords. In particular, there were recommendations against periodic password changes. The logic is that it’s harder for users to learn new passwords every week than it is to remember one big, complex password. In 2017, recommendations against changing passwords published the NIST organization responsible for the adoption of password security standards.

## NIST Guidelines

A password is a pattern, word, combination, or other type of information that is supposedly known only to the user and can be verified to verify the user’s identity.

The standards and definitions for password protection are set out in NIST Special Publication 800-63Bsection 5.1.1.2 “Memorable secret verifiers” (NIST, 2017).

In 2017, NIST went on the record saying that mandatory password changes actually significantly reduce the overall security of the password system and should not be used. This is explained in the questions B05 and B06 See the FAQ section of the NIST Documentation for Updated Special Publications (NIST, 2020).

But in fact, very little research has been done to support the NIST thesis about the decrease in the entropy of passwords when they are periodically changed. Let’s see if this is actually the case.

## Entropy and brute force

To calculate the entropy (E) of a password, use the formula

The number of attempts (G) required to guess a password with a probability of 50% is calculated using the formula

• S is the size of the pool of unique characters. Some components of the pool:

• digits (0-9): 10
• lowercase latin characters (az): 26
• lowercase and uppercase Latin characters (az, AZ): 52
• ASCII character set (az, AZ, characters, space): 95
• L – password length

The higher the entropy, the better, and by modern standards, 36-bit entropy is considered sufficient. For example, a password like

`S@mp1ePas\$word`

consists of lowercase and uppercase letters, numbers, and special ASCII characters, 14 characters long. This combination gives a pool size of 95, and according to the formula, this corresponds to approximately 4.87×10

27

The entropy of such a password will be calculated as , which is approximately 91.98 bits. With this entropy value, we can roughly calculate how many attempts on average it will take to guess a password (brute force 50% of all possible options). According to the formula we get 291.98-1that is, approximately 2.44 × 1027 random attempts.

This is a general description of the method. In reality, an attacker can significantly reduce the number of attempts with a dictionary. To maintain normal entropy, it is critical to generate random passwords in special software with strong PRNG, and not manually.

But it is generally accepted in the industry that the entropy of a password calculated using this method correlates with its security.

By comparison, an eight-character lowercase password has an entropy of only 37.6 bits, giving us an average of 104.2 billion attempts. Assuming a computer system iterates over a hundred billion options per secondthen she will crack such a password almost instantly even without the help of a dictionary.

## Periodic password changes increase entropy

A group of researchers from the University of Robert Morris (USA) wondered how effective is the periodic change of passwords. In particular, they decided to check how much the entropy decreases or increases in this process.

The researchers set up a small experiment in which 51 volunteers from thematic communities agreed to participate. `r/PCMasterRace`, `r/SysAdmin` and `r/CyberSecurity`where computer technology enthusiasts communicate.

Brief description of the experiment:

1. Participants were asked to create an account on the experiment’s website and come up with a random password from 2 to 160 characters.
2. They then logged into the account twice a week for two months. The login was required to check if the participants remember their password and if they can use it for an extended period of time.

The system was programmed to automatically log all login attempts, both successful and unsuccessful. The system also automatically recorded all password entropy values ​​each time the password was updated or reset. These metrics were designed to capture whether any particular group had a higher rate of failed login attempts or other login errors, and to track user participation in the study over time.

A script has been written to securely calculate the entropy of passwords on a host without exposing or storing the actual password value in the clear.

PHP script to calculate entropy

``````<?php

//Получение имени пользователя и пароля из формы

//Вычисление энтропии
\$value = 0;
\$set = 0;
\$pattern = preg_match_all("/[A-Z]/", \$savedpass);
if (\$pattern != 0)
{
\$set = \$set + 26;
}
\$value = \$value + \$pattern;
\$pattern = preg_match_all("/[a-z]/", \$savedpass);
if (\$pattern != 0)
{
\$set = \$set + 26;
}
\$value = \$value + \$pattern;
\$pattern = preg_match_all("/[0-9]/", \$savedpass);
if (\$pattern != 0)
{
\$set = \$set + 10;
}
\$value = \$value + \$pattern;
\$pattern = preg_match_all("/[ -\/\:-@[-`{-~]/", \$savedpass);
if (\$pattern != 0)
{
\$set = \$set + 33;
}
\$value = \$value + \$pattern;

//Вычисление log2(s^l)
\$sl = pow(\$set, \$value);
\$entropy = log(\$sl, 2);
\$entropy = round(\$entropy, 2);

//Проверка на наличие некорректных символов
\$crosscheck = preg_match_all("/[^ -~]/", \$savedpass);
if (\$crosscheck != 0) {
\$debuglog = "ILLEGAL CHARACTERS IN PASSWORD!";
}
else {
\$debuglog = "ALL CLEAR";
}
?>``````

At the end of the experiment, the following entropy results were obtained (28 people lasted until the end of the experiment):

The final survey of users from three control groups showed that about half of them use a password manager, and one in three uses a predictable pattern when creating a new password.

However, the authors conclude that periodically changing the password raises rather than lowers their entropy, as suggested by NIST. Although, given the limited sample size, additional studies are needed to confirm the patterns found.

Research results published in April 2022 in the magazine “Problems of information systems” (volume 23:2pp. 29-41, doi: 10.48009/2_iis_2022_10).