Password Complexity versus Password Entropy (Length)

** A huge thanks to the MS Crypto Board for all of the hand-holding and explanations -- especially David LeBlanc, Michael Scovetta, and Marsh Ray.

For the purpose of this post, the following definitions will be used:

  • Password Complexity:  the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess.
  • Password Entropy:  the level of chaos or randomness present in a system -- in this case, a string of characters that make up a password.
  • Bits of Entropy:  the mathematical measurement, in bits, of how difficult it is to crack a password.

So there are a couple of really interesting things you might have noticed:

  1. Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used.  
  2. ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password's ability to be cracked.


When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements.  To further this point, if you're using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password's length.  To say it another way, a password that is 16 characters long made up of only numbers provides the same level of difficultly-to-crack as an 8 character password made up of the possible 94 possible characters. 

So hopefully this helped clear up why:

- Password lengths are significantly more important than password complexity requirements
- Password complexity only prevents users from creating easy-to-guess passwords
- Password complexity actually reduces the total number of possible passwords in a key-space
- In theory, the most secure password policy would define a longer-length password with no other complexity requirements with a very large dictionary that consists of all easily-guessable passwords