Elaborate more on passphrase length and strength

For anyone interested in the math, here is the basic formula for measuring a password/phrase’s entropy:

Entropy = log2(Rᴸ)

(where R = the characterset or wordlist (e.g. 26 for just lowercase letters, 95 for all symbols on a keyboard, or 7776 for bitwarden’s wordlist and L = length of characters or words)

So for example a 5 word passphrase from a 7776 word list would be: log₂(7776⁵) = 64 bits

You don’t have to use the formula in practice, but understanding it and playing around with it a bit will give you a more intuitive understanding of the two dimensional nature of password strength (password length and character/word set)

My memory is rusty on how key derivation functions apply. IIRC if you use PBKDF2 (which was the standard until recently) the forumula is Equivalent Entropy = log2(Rᴸ) + log₂(iterations) where iterations are the number of PBKDF2 iterations. So sticking with our same example above but adding 600k iterations:

log₂(7776⁵) + log₂(600000) = 83 bits in other words 600k PBKDF2 iterations would add the equivalent of 19 bits of entropy to the 5 word passphrase (if I am remembering correctly, and got the math right, please doublecheck before relying on it)

edit: and for those who’s eyes glaze over at the mention of Math, a less technical and more intuitive way to quantify password strength is estimating cost to crack

1 Like