CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Password strength - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"b750fd1b-200f-414e-8eb7-620458f97f59","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Password_strength","wgTitle":"Password strength","wgCurRevisionId":1258888312,"wgRevisionId":1258888312,"wgArticleId":4459886,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Webarchive template wayback links","Webarchive template other archives","Articles with short description","Short description is different from Wikidata","Articles needing cleanup from January 2022","All pages needing cleanup","Articles containing how-to sections","All articles with unsourced statements","Articles with unsourced statements from June 2024","Articles with unsourced statements from January 2012","Cryptography","Password authentication"],"wgPageViewLanguage":"en", "wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Password_strength","wgRelevantArticleId":4459886,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":60000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q1990841", "wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","ext.math.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","mediawiki.page.media","site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp" ,"ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.math.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/0/0f/KeePass_random_password.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="1301"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/0/0f/KeePass_random_password.png"> <meta property="og:image:width" content="800"> <meta property="og:image:height" content="868"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/0/0f/KeePass_random_password.png/640px-KeePass_random_password.png"> <meta property="og:image:width" content="640"> <meta property="og:image:height" content="694"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Password strength - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Password_strength"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Password_strength&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Password_strength"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Password_strength rootpage-Password_strength skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Password+strength" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Password+strength" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Password+strength" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Password+strength" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-Password_creation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Password_creation"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>Password creation</span> </div> </a> <ul id="toc-Password_creation-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Password_guess_validation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Password_guess_validation"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Password guess validation</span> </div> </a> <button aria-controls="toc-Password_guess_validation-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Password guess validation subsection</span> </button> <ul id="toc-Password_guess_validation-sublist" class="vector-toc-list"> <li id="toc-Entropy_as_a_measure_of_password_strength" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Entropy_as_a_measure_of_password_strength"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1</span> <span>Entropy as a measure of password strength</span> </div> </a> <ul id="toc-Entropy_as_a_measure_of_password_strength-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Random_passwords" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Random_passwords"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2</span> <span>Random passwords</span> </div> </a> <ul id="toc-Random_passwords-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Human-generated_passwords" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Human-generated_passwords"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.3</span> <span>Human-generated passwords</span> </div> </a> <ul id="toc-Human-generated_passwords-sublist" class="vector-toc-list"> <li id="toc-NIST_Special_Publication_800-63-2" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#NIST_Special_Publication_800-63-2"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.3.1</span> <span>NIST Special Publication 800-63-2</span> </div> </a> <ul id="toc-NIST_Special_Publication_800-63-2-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Usability_and_implementation_considerations" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Usability_and_implementation_considerations"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.4</span> <span>Usability and implementation considerations</span> </div> </a> <ul id="toc-Usability_and_implementation_considerations-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Required_bits_of_entropy" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Required_bits_of_entropy"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Required bits of entropy</span> </div> </a> <ul id="toc-Required_bits_of_entropy-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Guidelines_for_strong_passwords" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Guidelines_for_strong_passwords"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Guidelines for strong passwords</span> </div> </a> <button aria-controls="toc-Guidelines_for_strong_passwords-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Guidelines for strong passwords subsection</span> </button> <ul id="toc-Guidelines_for_strong_passwords-sublist" class="vector-toc-list"> <li id="toc-Common_guidelines" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Common_guidelines"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.1</span> <span>Common guidelines</span> </div> </a> <ul id="toc-Common_guidelines-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Examples_of_weak_passwords" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Examples_of_weak_passwords"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.2</span> <span>Examples of weak passwords</span> </div> </a> <ul id="toc-Examples_of_weak_passwords-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Rethinking_password_change_guidelines" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Rethinking_password_change_guidelines"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.3</span> <span>Rethinking password change guidelines</span> </div> </a> <ul id="toc-Rethinking_password_change_guidelines-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Password_policy" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Password_policy"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Password policy</span> </div> </a> <button aria-controls="toc-Password_policy-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Password policy subsection</span> </button> <ul id="toc-Password_policy-sublist" class="vector-toc-list"> <li id="toc-Creating_and_handling_passwords" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Creating_and_handling_passwords"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.1</span> <span>Creating and handling passwords</span> </div> </a> <ul id="toc-Creating_and_handling_passwords-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Memory_techniques" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Memory_techniques"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2</span> <span>Memory techniques</span> </div> </a> <ul id="toc-Memory_techniques-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Password_managers" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Password_managers"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Password managers</span> </div> </a> <ul id="toc-Password_managers-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Password strength</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 19 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-19" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">19 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D9%82%D9%88%D8%A9_%D9%83%D9%84%D9%85%D8%A9_%D8%A7%D9%84%D8%B3%D8%B1" title="قوة كلمة السر – Arabic" lang="ar" hreflang="ar" data-title="قوة كلمة السر" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/S%C3%ADla_hesla" title="Síla hesla – Czech" lang="cs" hreflang="cs" data-title="Síla hesla" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-el mw-list-item"><a href="https://el.wikipedia.org/wiki/%CE%99%CF%83%CF%87%CF%8D%CF%82_%CE%BA%CF%89%CE%B4%CE%B9%CE%BA%CE%BF%CF%8D" title="Ισχύς κωδικού – Greek" lang="el" hreflang="el" data-title="Ισχύς κωδικού" data-language-autonym="Ελληνικά" data-language-local-name="Greek" class="interlanguage-link-target"><span>Ελληνικά</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Seguridad_de_la_contrase%C3%B1a" title="Seguridad de la contraseña – Spanish" lang="es" hreflang="es" data-title="Seguridad de la contraseña" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%A7%D8%B3%D8%AA%D8%AD%DA%A9%D8%A7%D9%85_%DA%AF%D8%B0%D8%B1%D9%88%D8%A7%DA%98%D9%87" title="استحکام گذرواژه – Persian" lang="fa" hreflang="fa" data-title="استحکام گذرواژه" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Robustesse_d%27un_mot_de_passe" title="Robustesse d'un mot de passe – French" lang="fr" hreflang="fr" data-title="Robustesse d'un mot de passe" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/Kekuatan_kata_sandi" title="Kekuatan kata sandi – Indonesian" lang="id" hreflang="id" data-title="Kekuatan kata sandi" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/Robustezza_della_password" title="Robustezza della password – Italian" lang="it" hreflang="it" data-title="Robustezza della password" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-he mw-list-item"><a href="https://he.wikipedia.org/wiki/%D7%97%D7%95%D7%96%D7%A7_%D7%A1%D7%99%D7%A1%D7%9E%D7%90%D7%95%D7%AA" title="חוזק סיסמאות – Hebrew" lang="he" hreflang="he" data-title="חוזק סיסמאות" data-language-autonym="עברית" data-language-local-name="Hebrew" class="interlanguage-link-target"><span>עברית</span></a></li><li class="interlanguage-link interwiki-ms mw-list-item"><a href="https://ms.wikipedia.org/wiki/Kekuatan_kata_laluan" title="Kekuatan kata laluan – Malay" lang="ms" hreflang="ms" data-title="Kekuatan kata laluan" data-language-autonym="Bahasa Melayu" data-language-local-name="Malay" class="interlanguage-link-target"><span>Bahasa Melayu</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/Mocne_has%C5%82o" title="Mocne hasło – Polish" lang="pl" hreflang="pl" data-title="Mocne hasło" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/%D0%A1%D0%BB%D0%BE%D0%B6%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8F" title="Сложность пароля – Russian" lang="ru" hreflang="ru" data-title="Сложность пароля" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-sk mw-list-item"><a href="https://sk.wikipedia.org/wiki/Sila_hesla" title="Sila hesla – Slovak" lang="sk" hreflang="sk" data-title="Sila hesla" data-language-autonym="Slovenčina" data-language-local-name="Slovak" class="interlanguage-link-target"><span>Slovenčina</span></a></li><li class="interlanguage-link interwiki-ta mw-list-item"><a href="https://ta.wikipedia.org/wiki/%E0%AE%95%E0%AE%9F%E0%AE%B5%E0%AF%81%E0%AE%9A%E0%AF%8D%E0%AE%9A%E0%AF%8A%E0%AE%B2%E0%AF%8D_%E0%AE%AA%E0%AE%B2%E0%AE%AE%E0%AF%8D" title="கடவுச்சொல் பலம் – Tamil" lang="ta" hreflang="ta" data-title="கடவுச்சொல் பலம்" data-language-autonym="தமிழ்" data-language-local-name="Tamil" class="interlanguage-link-target"><span>தமிழ்</span></a></li><li class="interlanguage-link interwiki-th mw-list-item"><a href="https://th.wikipedia.org/wiki/%E0%B8%84%E0%B8%A7%E0%B8%B2%E0%B8%A1%E0%B9%81%E0%B8%82%E0%B9%87%E0%B8%87%E0%B9%81%E0%B8%81%E0%B8%A3%E0%B9%88%E0%B8%87%E0%B8%82%E0%B8%AD%E0%B8%87%E0%B8%A3%E0%B8%AB%E0%B8%B1%E0%B8%AA%E0%B8%9C%E0%B9%88%E0%B8%B2%E0%B8%99" title="ความแข็งแกร่งของรหัสผ่าน – Thai" lang="th" hreflang="th" data-title="ความแข็งแกร่งของรหัสผ่าน" data-language-autonym="ไทย" data-language-local-name="Thai" class="interlanguage-link-target"><span>ไทย</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/%D0%9D%D0%B0%D0%B4%D1%96%D0%B9%D0%BD%D1%96%D1%81%D1%82%D1%8C_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8F" title="Надійність пароля – Ukrainian" lang="uk" hreflang="uk" data-title="Надійність пароля" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-vi mw-list-item"><a href="https://vi.wikipedia.org/wiki/%C4%90%E1%BB%99_m%E1%BA%A1nh_c%E1%BB%A7a_m%E1%BA%ADt_kh%E1%BA%A9u" title="Độ mạnh của mật khẩu – Vietnamese" lang="vi" hreflang="vi" data-title="Độ mạnh của mật khẩu" data-language-autonym="Tiếng Việt" data-language-local-name="Vietnamese" class="interlanguage-link-target"><span>Tiếng Việt</span></a></li><li class="interlanguage-link interwiki-zh-yue mw-list-item"><a href="https://zh-yue.wikipedia.org/wiki/%E5%AF%86%E7%A2%BC%E5%BC%B7%E5%BA%A6" title="密碼強度 – Cantonese" lang="yue" hreflang="yue" data-title="密碼強度" data-language-autonym="粵語" data-language-local-name="Cantonese" class="interlanguage-link-target"><span>粵語</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/%E5%AF%86%E7%A0%81%E5%BC%BA%E5%BA%A6" title="密码强度 – Chinese" lang="zh" hreflang="zh" data-title="密码强度" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1990841#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Password_strength" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Password_strength" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Password_strength"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Password_strength&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Password_strength&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Password_strength"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Password_strength&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Password_strength&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Password_strength" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Password_strength" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Password_strength&oldid=1258888312" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Password_strength&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Password_strength&id=1258888312&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPassword_strength"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPassword_strength"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Password_strength&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Password_strength&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q1990841" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Resistance of a password to being guessed</div> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">For organizational rules on passwords, see <a href="/wiki/Password_policy" title="Password policy">Password policy</a>.</div> <figure typeof="mw:File/Thumb"><a href="/wiki/File:KeePass_random_password.png" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/0/0f/KeePass_random_password.png/400px-KeePass_random_password.png" decoding="async" width="400" height="434" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/0/0f/KeePass_random_password.png/600px-KeePass_random_password.png 1.5x, //upload.wikimedia.org/wikipedia/commons/0/0f/KeePass_random_password.png 2x" data-file-width="651" data-file-height="706" /></a><figcaption>Options menu of the <a href="/wiki/Random_password_generation" class="mw-redirect" title="Random password generation">random password generation</a> tool in <a href="/wiki/KeePass" title="KeePass">KeePass</a>. Enabling more character subsets raises the strength of generated passwords a small amount, whereas increasing their length raises the strength a large amount.</figcaption></figure> <p><b>Password strength</b> is a measure of the effectiveness of a <a href="/wiki/Password" title="Password">password</a> against guessing or <a href="/wiki/Brute-force_attack" title="Brute-force attack">brute-force attacks</a>. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.<sup id="cite_ref-CERT_1-0" class="reference"><a href="#cite_note-CERT-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> </p><p>Using strong passwords lowers the overall <a href="/wiki/Risk" title="Risk">risk</a> of a security breach, but strong passwords do not replace the need for other effective <a href="/wiki/Security_controls" title="Security controls">security controls</a>.<sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup> The effectiveness of a password of a given strength is strongly determined by the design and implementation of the <a href="/wiki/Authentication#Authentication_factors" title="Authentication">authentication factors</a> (knowledge, ownership, inherence). The first factor is the main focus of this article. </p><p>The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g. three) of failed password entry attempts. In the absence of other <a href="/wiki/Vulnerability_(computer_security)" title="Vulnerability (computer security)">vulnerabilities</a>, such systems can be effectively secured with relatively simple passwords. However, the system store information about the user's passwords in some form and if that information is stolen, say by breaching system security, the user's passwords can be at risk. </p><p>In 2019, the United Kingdom's <a href="/wiki/National_Cyber_Security_Centre_(United_Kingdom)" title="National Cyber Security Centre (United Kingdom)">NCSC</a> analyzed public databases of breached accounts to see which words, phrases, and strings people used. The most popular password on the list was 123456, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while the top five included "<a href="/wiki/Qwerty" class="mw-redirect" title="Qwerty">qwerty</a>", "password", and 1111111.<sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup> </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="Password_creation">Password creation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=1" title="Edit section: Password creation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Passwords are created either automatically (using randomizing equipment) or by a human; the latter case is more common. While the strength of randomly chosen passwords against a <a href="/wiki/Brute-force_attack" title="Brute-force attack">brute-force attack</a> can be calculated with precision, determining the strength of human-generated passwords is difficult. </p><p>Typically, humans are asked to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or internet website. Only rough estimates of strength are possible since humans tend to follow patterns in such tasks, and those patterns can usually assist an attacker.<sup id="cite_ref-NIST_4-0" class="reference"><a href="#cite_note-NIST-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> In addition, lists of commonly chosen passwords are widely available for use by password-guessing programs. Such lists include the numerous online dictionaries for various human languages, breached databases of <a href="/wiki/Plaintext" title="Plaintext">plaintext</a> and <a href="/wiki/Cryptographic_hash_function" title="Cryptographic hash function">hashed</a> passwords from various online business and social accounts, along with other common passwords. All items in such lists are considered weak, as are passwords that are simple modifications of them. </p><p>Although random password generation programs are available nowadays which are meant to be easy to use, they usually generate random, hard-to-remember passwords, often resulting in people preferring to choose their own. However, this is inherently insecure because the person's lifestyle, entertainment preferences, and other key individualistic qualities usually come into play to influence the choice of password, while the prevalence of online <a href="/wiki/Social_media" title="Social media">social media</a> has made obtaining information about people much easier. </p> <div class="mw-heading mw-heading2"><h2 id="Password_guess_validation">Password guess validation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=2" title="Edit section: Password guess validation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Systems that use passwords for <a href="/wiki/Authentication" title="Authentication">authentication</a> must have some way to check any password entered to gain access. If the valid passwords are simply stored in a system file or database, an attacker who gains sufficient access to the system will obtain all user passwords, giving the attacker access to all accounts on the attacked system and possibly other systems where users employ the same or similar passwords. One way to reduce this risk is to store only a <a href="/wiki/Cryptographic_hash" class="mw-redirect" title="Cryptographic hash">cryptographic hash</a> of each password instead of the password itself. Standard cryptographic hashes, such as the <a href="/wiki/Secure_Hash_Algorithm_(disambiguation)" class="mw-redirect" title="Secure Hash Algorithm (disambiguation)">Secure Hash Algorithm</a> (SHA) series, are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password. However, knowledge of the hash value lets the attacker quickly test guesses offline. <a href="/wiki/Password_cracking" title="Password cracking">Password cracking</a> programs are widely available that will test a large number of trial passwords against a purloined cryptographic hash. </p><p>Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. For example, in 2010, the <a href="/wiki/Georgia_Tech_Research_Institute" title="Georgia Tech Research Institute">Georgia Tech Research Institute</a> developed a method of using <a href="/wiki/GPGPU" class="mw-redirect" title="GPGPU">GPGPU</a> to crack passwords much faster.<sup id="cite_ref-gtri_5-0" class="reference"><a href="#cite_note-gtri-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Elcomsoft" class="mw-redirect" title="Elcomsoft">Elcomsoft</a> invented the usage of common graphic cards for quicker password recovery in August 2007 and soon filed a corresponding patent in the US.<sup id="cite_ref-belenko_6-0" class="reference"><a href="#cite_note-belenko-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> By 2011, commercial products were available that claimed the ability to test up to 112,000 passwords per second on a standard desktop computer, using a high-end graphics processor for that time.<sup id="cite_ref-elcomsoft_7-0" class="reference"><a href="#cite_note-elcomsoft-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> Such a device will crack a six-letter single-case password in one day. The work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable GPUs. Special <a href="/wiki/Key_stretching" title="Key stretching">key stretching</a> hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not. </p><p>Another situation where quick guessing is possible is when the password is used to form a <a href="/wiki/Cryptographic_key" class="mw-redirect" title="Cryptographic key">cryptographic key</a>. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. For example, one commercial product claims to test 103,000 <a href="/wiki/Wi-Fi_Protected_Access" title="Wi-Fi Protected Access">WPA</a> PSK passwords per second.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup> </p><p>If a password system only stores the hash of the password, an attacker can pre-compute hash values for common password variants and all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can be efficiently stored using <a href="/wiki/Rainbow_tables" class="mw-redirect" title="Rainbow tables">rainbow tables</a>. This method of attack can be foiled by storing a random value, called a <a href="/wiki/Cryptographic_salt" class="mw-redirect" title="Cryptographic salt">cryptographic salt</a>, along with the hash. The salt is combined with the password when computing the hash, so an attacker precomputing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Many authentication systems in common use do not employ salts and rainbow tables are available on the Internet for several such systems. </p> <div class="mw-heading mw-heading3"><h3 id="Entropy_as_a_measure_of_password_strength">Entropy as a measure of password strength</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=3" title="Edit section: Entropy as a measure of password strength"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Password strength is specified by the amount of <a href="/wiki/Information_entropy" class="mw-redirect" title="Information entropy">information entropy</a>, which is measured in <a href="/wiki/Shannon_(unit)" title="Shannon (unit)">shannon</a> (Sh) and is a concept from <a href="/wiki/Information_theory" title="Information theory">information theory</a>. It can be regarded as the minimum number of <a href="/wiki/Bit" title="Bit">bits</a> necessary to hold the information in a password of a given type. A related measure is the <a href="/wiki/Binary_logarithm" title="Binary logarithm">base-2 logarithm</a> of the number of guesses needed to find the password with certainty, which is commonly referred to as the "bits of entropy".<sup id="cite_ref-9" class="reference"><a href="#cite_note-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> A password with 42 bits of entropy would be as strong as a string of 42 bits chosen randomly, for example by a <a href="/wiki/Fair_coin" title="Fair coin">fair coin</a> toss. Put another way, a password with 42 bits of entropy would require 2<sup>42</sup> (4,398,046,511,104) attempts to exhaust all possibilities during a <a href="/wiki/Brute_force_search" class="mw-redirect" title="Brute force search">brute force search</a>. Thus, increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker's task twice as difficult. On average, an attacker will have to try half the possible number of passwords before finding the correct one.<sup id="cite_ref-NIST_4-1" class="reference"><a href="#cite_note-NIST-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Random_passwords">Random passwords</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=4" title="Edit section: Random passwords"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Random_password_generator" title="Random password generator">Random password generator</a></div> <p>Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set (e.g., the <a href="/wiki/ASCII" title="ASCII">ASCII</a> character set), syllables designed to form pronounceable passwords or even words from a word list (thus forming a <a href="/wiki/Passphrase" title="Passphrase">passphrase</a>). </p><p>The strength of random passwords depends on the actual entropy of the underlying number generator; however, these are often not truly random, but pseudorandom. Many publicly available password generators use random number generators found in programming libraries that offer limited entropy. However, most modern operating systems offer cryptographically strong random number generators that are suitable for password generation. It is also possible to use ordinary <a href="/wiki/Dice" title="Dice">dice</a> to generate random passwords <style data-mw-deduplicate="TemplateStyles:r1033199720">.mw-parser-output div.crossreference{padding-left:0}</style><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><span role="note" class="hatnote navigation-not-searchable crossreference">(see <a href="/wiki/Random_password_generator#Stronger_methods" title="Random password generator">Random password generator § Stronger methods</a>)</span>. Random password programs often can ensure that the resulting password complies with a local <a href="/wiki/Password_policy" title="Password policy">password policy</a>; for instance, by always producing a mix of letters, numbers, and special characters. </p><p>For passwords generated by a process that randomly selects a string of symbols of length, <i>L</i>, from a set of <i>N</i> possible symbols, the number of possible passwords can be found by raising the number of symbols to the power <i>L</i>, i.e. <i>N</i><sup><i>L</i></sup>. Increasing either <i>L</i> or <i>N</i> will strengthen the generated password. The strength of a random password as measured by the <a href="/wiki/Information_entropy" class="mw-redirect" title="Information entropy">information entropy</a> is just the <a href="/wiki/Binary_logarithm" title="Binary logarithm">base-2 logarithm</a> or log<sub>2</sub> of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy, <i>H</i>, is given by the formula: </p> <div class="center" style="width:auto; margin-left:auto; margin-right:auto;"> <p><span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle H=\log _{2}N^{L}=L\log _{2}N=L{\log N \over \log 2}}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>H</mi> <mo>=</mo> <msub> <mi>log</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>⁡</mo> <msup> <mi>N</mi> <mrow class="MJX-TeXAtom-ORD"> <mi>L</mi> </mrow> </msup> <mo>=</mo> <mi>L</mi> <msub> <mi>log</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>⁡</mo> <mi>N</mi> <mo>=</mo> <mi>L</mi> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mrow> <mi>log</mi> <mo>⁡</mo> <mi>N</mi> </mrow> <mrow> <mi>log</mi> <mo>⁡</mo> <mn>2</mn> </mrow> </mfrac> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle H=\log _{2}N^{L}=L\log _{2}N=L{\log N \over \log 2}}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d30dfce3e0cd67b4fc5b4410cd7d0d5e89781f6d" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.338ex; width:35.535ex; height:5.843ex;" alt="{\displaystyle H=\log _{2}N^{L}=L\log _{2}N=L{\log N \over \log 2}}"></span> </p> </div> <p>where <i>N</i> is the number of possible symbols and <i>L</i> is the number of symbols in the password. <i>H</i> is measured in <a href="/wiki/Bit" title="Bit">bits</a>.<sup id="cite_ref-NIST_4-2" class="reference"><a href="#cite_note-NIST-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-10" class="reference"><a href="#cite_note-10"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup> In the last expression, <i>log</i> can be to any <a href="/wiki/Base_(exponentiation)" title="Base (exponentiation)">base</a>. </p> <dl><dd><table class="wikitable" style="text-align: right;"> <caption>Entropy per symbol for different symbol sets </caption> <tbody><tr> <th>Symbol set</th> <th>Symbol count<br /><i>N</i></th> <th>Entropy per symbol<br /><i>H</i> </th></tr> <tr> <td align="left"><a href="/wiki/Arabic_numerals" title="Arabic numerals">Arabic numerals</a> (0–9) (e.g. <a href="/wiki/Personal_identification_number" title="Personal identification number">PIN</a>)</td> <td>10</td> <td>3.322 bits </td></tr> <tr> <td align="left"><a href="/wiki/Hexadecimal" title="Hexadecimal">Hexadecimal</a> numerals (0–9, A–F) (e.g. <a href="/wiki/Wired_Equivalent_Privacy" title="Wired Equivalent Privacy">WEP</a> keys)</td> <td>16</td> <td>4.000 bits </td></tr> <tr> <td align="left"><a href="/wiki/Case_sensitivity" title="Case sensitivity">Case insensitive</a> <a href="/wiki/Latin_alphabet" title="Latin alphabet">Latin alphabet</a> (a–z or A–Z)</td> <td>26</td> <td>4.700 bits </td></tr> <tr> <td align="left">Case insensitive <a href="/wiki/Alphanumeric" class="mw-redirect" title="Alphanumeric">alphanumeric</a> (a–z or A–Z, 0–9)</td> <td>36</td> <td>5.170 bits </td></tr> <tr> <td align="left"><a href="/wiki/Case_sensitivity" title="Case sensitivity">Case sensitive</a> Latin alphabet (a–z, A–Z)</td> <td>52</td> <td>5.700 bits </td></tr> <tr> <td align="left">Case sensitive alphanumeric (a–z, A–Z, 0–9)</td> <td>62</td> <td>5.954 bits </td></tr> <tr> <td align="left">All <a href="/wiki/Printable_characters" class="mw-redirect" title="Printable characters">ASCII printable characters</a> except space</td> <td>94</td> <td>6.555 bits </td></tr> <tr> <td align="left">All <a href="/wiki/Latin-1_Supplement" title="Latin-1 Supplement">Latin-1 Supplement characters</a></td> <td>94</td> <td>6.555 bits </td></tr> <tr> <td align="left">All <a href="/wiki/Printable_characters" class="mw-redirect" title="Printable characters">ASCII printable characters</a></td> <td>95</td> <td>6.570 bits </td></tr> <tr> <td align="left">All <a href="/wiki/Extended_ASCII" title="Extended ASCII">extended ASCII printable characters</a></td> <td>218</td> <td>7.768 bits </td></tr> <tr> <td align="left"><a href="/wiki/Binary_number" title="Binary number">Binary</a> (0–255 or 8 <a href="/wiki/Bit" title="Bit">bits</a> or 1 <a href="/wiki/Byte" title="Byte">byte</a>)</td> <td>256</td> <td>8.000 bits </td></tr> <tr> <td align="left"><a href="/wiki/Diceware" title="Diceware">Diceware</a> word list</td> <td>7776</td> <td>12.925 bits per word </td></tr></tbody></table></dd></dl> <p>A <a href="/wiki/Binary_number" title="Binary number">binary</a> <a href="/wiki/Byte" title="Byte">byte</a> is usually expressed using two hexadecimal characters. </p><p>To find the length, <i>L,</i> needed to achieve a desired strength <i>H,</i> with a password drawn randomly from a set of <i>N</i> symbols, one computes: </p><p><span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle L={\left\lceil {\frac {H}{\log _{2}N}}\right\rceil }}"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mi>L</mi> <mo>=</mo> <mrow class="MJX-TeXAtom-ORD"> <mrow> <mo>⌈</mo> <mrow class="MJX-TeXAtom-ORD"> <mfrac> <mi>H</mi> <mrow> <msub> <mi>log</mi> <mrow class="MJX-TeXAtom-ORD"> <mn>2</mn> </mrow> </msub> <mo>⁡</mo> <mi>N</mi> </mrow> </mfrac> </mrow> <mo>⌉</mo> </mrow> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle L={\left\lceil {\frac {H}{\log _{2}N}}\right\rceil }}</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/998d6b928d9677e34401e0c2599bf65f37573202" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -2.505ex; width:14.705ex; height:6.176ex;" alt="{\displaystyle L={\left\lceil {\frac {H}{\log _{2}N}}\right\rceil }}"></span> </p><p>where <span class="mwe-math-element"><span class="mwe-math-mathml-inline mwe-math-mathml-a11y" style="display: none;"><math xmlns="http://www.w3.org/1998/Math/MathML" alttext="{\displaystyle \left\lceil \ \right\rceil }"> <semantics> <mrow class="MJX-TeXAtom-ORD"> <mstyle displaystyle="true" scriptlevel="0"> <mrow> <mo>⌈</mo> <mtext> </mtext> <mo>⌉</mo> </mrow> </mstyle> </mrow> <annotation encoding="application/x-tex">{\displaystyle \left\lceil \ \right\rceil }</annotation> </semantics> </math></span><img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/41cd14e9fa8645c07bb88437f88f8a2464451e5b" class="mwe-math-fallback-image-inline mw-invert skin-invert" aria-hidden="true" style="vertical-align: -0.838ex; width:2.645ex; height:2.843ex;" alt="{\displaystyle \left\lceil \ \right\rceil }"></span> denotes the mathematical <a href="/wiki/Floor_and_ceiling_functions" title="Floor and ceiling functions">ceiling function</a>, <i>i.e.</i> rounding up to the next largest <a href="/wiki/Natural_number" title="Natural number">whole number</a>. </p><p>The following table uses this formula to show the required lengths of truly randomly generated passwords to achieve desired password entropies for common symbol sets: <span class="anchor" id="EntropyTable"></span> </p> <table class="wikitable"> <caption>Lengths <i>L</i> of truly randomly generated passwords required to achieve a desired password entropy <i>H</i> for symbol sets containing <i>N</i> symbols </caption> <tbody><tr> <th rowspan="2">Desired password<br />entropy <i>H</i></th> <th rowspan="2"><a href="/wiki/Arabic_numerals" title="Arabic numerals">Arabic<br />numerals</a></th> <th rowspan="2"><a href="/wiki/Hexadecimal" title="Hexadecimal">Hexadecimal</a></th> <th colspan="2"><a href="/wiki/Case_sensitivity" title="Case sensitivity">Case insensitive</a></th> <th colspan="2"><a href="/wiki/Case_sensitivity" title="Case sensitivity">Case sensitive</a></th> <th>All ASCII</th> <th>All <a href="/wiki/Extended_ASCII" title="Extended ASCII">Extended<br />ASCII</a></th> <th rowspan="2"><a href="/wiki/Diceware" title="Diceware">Diceware</a><br />word list </th></tr> <tr> <th><a href="/wiki/Latin_alphabet" title="Latin alphabet">Latin<br />alphabet</a></th> <th><a href="/wiki/Alphanumeric" class="mw-redirect" title="Alphanumeric">alpha-<br />numeric</a></th> <th>Latin<br />alphabet</th> <th>alpha-<br />numeric</th> <th colspan="2"><a href="/wiki/Printable_characters" class="mw-redirect" title="Printable characters">printable characters</a> </th></tr> <tr> <td>8 bits (1 byte)</td> <td>3</td> <td>2</td> <td>2</td> <td>2</td> <td>2</td> <td>2</td> <td>2</td> <td>2</td> <td>1 word </td></tr> <tr> <td>32 bits (4 bytes)</td> <td>10</td> <td>8</td> <td>7</td> <td>7</td> <td>6</td> <td>6</td> <td>5</td> <td>5</td> <td>3 words </td></tr> <tr> <td>40 bits (5 bytes)</td> <td>13</td> <td>10</td> <td>9</td> <td>8</td> <td>8</td> <td>7</td> <td>7</td> <td>6</td> <td>4 words </td></tr> <tr> <td>64 bits (8 bytes)</td> <td>20</td> <td>16</td> <td>14</td> <td>13</td> <td>12</td> <td>11</td> <td>10</td> <td>9</td> <td>5 words </td></tr> <tr> <td>80 bits (10 bytes)</td> <td>25</td> <td>20</td> <td>18</td> <td>16</td> <td>15</td> <td>14</td> <td>13</td> <td>11</td> <td>7 words </td></tr> <tr> <td>96 bits (12 bytes)</td> <td>29</td> <td>24</td> <td>21</td> <td>19</td> <td>17</td> <td>17</td> <td>15</td> <td>13</td> <td>8 words </td></tr> <tr> <td>128 bits (16 bytes)</td> <td>39</td> <td>32</td> <td>28</td> <td>25</td> <td>23</td> <td>22</td> <td>20</td> <td>17</td> <td>10 words </td></tr> <tr> <td>160 bits (20 bytes)</td> <td>49</td> <td>40</td> <td>35</td> <td>31</td> <td>29</td> <td>27</td> <td>25</td> <td>21</td> <td>13 words </td></tr> <tr> <td>192 bits (24 bytes)</td> <td>58</td> <td>48</td> <td>41</td> <td>38</td> <td>34</td> <td>33</td> <td>30</td> <td>25</td> <td>15 words </td></tr> <tr> <td>224 bits (28 bytes)</td> <td>68</td> <td>56</td> <td>48</td> <td>44</td> <td>40</td> <td>38</td> <td>35</td> <td>29</td> <td>18 words </td></tr> <tr> <td>256 bits (32 bytes)</td> <td>78</td> <td>64</td> <td>55</td> <td>50</td> <td>45</td> <td>43</td> <td>39</td> <td>33</td> <td>20 words </td></tr></tbody></table> <div class="mw-heading mw-heading3"><h3 id="Human-generated_passwords">Human-generated passwords</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=5" title="Edit section: Human-generated passwords"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.<sup id="cite_ref-11" class="reference"><a href="#cite_note-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> </p><p>Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. A <a href="/wiki/Uniform_distribution_(discrete)" class="mw-redirect" title="Uniform distribution (discrete)">uniform distribution</a> would have had each character being used about 900,000 times. The most common number used is "1", whereas the most common letters are a, e, o, and r.<sup id="cite_ref-perfect_12-0" class="reference"><a href="#cite_note-perfect-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p><p>Users rarely make full use of larger character sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.<sup id="cite_ref-myspace-passwords_13-0" class="reference"><a href="#cite_note-myspace-passwords-13"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> </p><p>The full strength associated with using the entire ASCII character set (numerals, mixed case letters, and special characters) is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps upper and lower-case letters, numbers, and non-alphanumeric characters. Such a requirement is a pattern in password choice and can be expected to reduce an attacker's "work factor" (in Claude Shannon's terms). This is a reduction in password "strength". A better requirement would be to require a password <i>not</i> to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). If patterned choices are required, humans are likely to use them in predictable ways, such as capitalizing a letter, adding one or two numbers, and a special character. This predictability means that the increase in password strength is minor when compared to random passwords. </p><p><b>Password Safety Awareness Projects</b> </p><p>Google developed Interland teach the kid internet audience safety on internet. On the chapter called <i>Tower Of Tresure</i> it is advised to use unusual names paired with characters like (₺&@#%) with a game.<sup id="cite_ref-14" class="reference"><a href="#cite_note-14"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="NIST_Special_Publication_800-63-2">NIST Special Publication 800-63-2</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=6" title="Edit section: NIST Special Publication 800-63-2"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/NIST" class="mw-redirect" title="NIST">NIST</a> Special Publication 800-63 of June 2004 (revision two) suggested a scheme to approximate the entropy of human-generated passwords:<sup id="cite_ref-NIST_4-3" class="reference"><a href="#cite_note-NIST-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> </p><p>Using this scheme, an eight-character human-selected password without uppercase characters and non-alphabetic characters OR with either but of the two character sets is estimated to have eighteen bits of entropy. The NIST publication concedes that at the time of development, little information was available on the real-world selection of passwords. Later research into human-selected password entropy using newly available real-world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords.<sup id="cite_ref-WeirEtAl_15-0" class="reference"><a href="#cite_note-WeirEtAl-15"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup> The June 2017 revision of SP 800-63 (Revision three) drops this approach.<sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Usability_and_implementation_considerations">Usability and implementation considerations</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=7" title="Edit section: Usability and implementation considerations"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Because national keyboard implementations vary, not all 94 ASCII printable characters can be used everywhere. This can present a problem to an international traveler who wished to log into a remote system using a keyboard on a local computer <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1033199720"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><span role="note" class="hatnote navigation-not-searchable crossreference">(see article concerned with <a href="/wiki/List_of_Latin-script_keyboard_layouts" title="List of Latin-script keyboard layouts">keyboard layouts</a>)</span>. Many handheld devices, such as <a href="/wiki/Tablet_computer" title="Tablet computer">tablet computers</a> and <a href="/wiki/Smart_phone" class="mw-redirect" title="Smart phone">smart phones</a>, require complex shift sequences or keyboard app swapping to enter special characters. </p><p>Authentication programs can vary as to the list of allowable password characters. Some do not recognize case differences (e.g., the upper-case "E" is considered equivalent to the lower-case "e"), and others prohibit some of the other symbols. In the past few decades, systems have permitted more characters in passwords, but limitations still exist. Systems also vary as to the maximum length of passwords allowed. </p><p>As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk.<sup id="cite_ref-Gartner_17-0" class="reference"><a href="#cite_note-Gartner-17"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> In contrast, others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to <a href="/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a>, most people are good at securing their wallets or purses, which is a "great place" to store a written password.<sup id="cite_ref-Schneier-writedown_18-0" class="reference"><a href="#cite_note-Schneier-writedown-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Required_bits_of_entropy">Required bits of entropy</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=8" title="Edit section: Required bits of entropy"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The minimum number of bits of entropy needed for a password depends on the <a href="/wiki/Threat_model" title="Threat model">threat model</a> for the given application. If <a href="/wiki/Key_stretching" title="Key stretching">key stretching</a> is not used, passwords with more entropy are needed. RFC 4086, "Randomness Requirements for Security", published June 2005, presents some example threat models and how to calculate the entropy desired for each one.<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup> Their answers vary between 29 bits of entropy needed if only online attacks are expected, and up to 96 bits of entropy needed for important cryptographic keys used in applications like encryption where the password or key needs to be secure for a long period and stretching isn't applicable. A 2010 <a href="/wiki/Georgia_Tech_Research_Institute" title="Georgia Tech Research Institute">Georgia Tech Research Institute</a> study based on unstretched keys recommended a 12-character random password but as a minimum length requirement.<sup id="cite_ref-gtri_5-1" class="reference"><a href="#cite_note-gtri-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-msnbc_20-0" class="reference"><a href="#cite_note-msnbc-20"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup> It pays to bear in mind that since computing power continually grows, to prevent offline attacks the required number of bits of entropy should also increase over time. </p><p>The upper end is related to the stringent requirements of choosing keys used in encryption. In 1999, <a href="/wiki/EFF_DES_cracker" title="EFF DES cracker">an Electronic Frontier Foundation project</a> broke 56-bit <a href="/wiki/Data_Encryption_Standard" title="Data Encryption Standard">DES</a> encryption in less than a day using specially designed hardware.<sup id="cite_ref-EFF-deep-crack_21-0" class="reference"><a href="#cite_note-EFF-deep-crack-21"><span class="cite-bracket">[</span>21<span class="cite-bracket">]</span></a></sup> In 2002, <i><a href="/wiki/Distributed.net" title="Distributed.net">distributed.net</a></i> cracked a 64-bit key in 4 years, 9 months, and 23 days.<sup id="cite_ref-distributed_22-0" class="reference"><a href="#cite_note-distributed-22"><span class="cite-bracket">[</span>22<span class="cite-bracket">]</span></a></sup> As of October 12, 2011, <i>distributed.net</i> estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years.<sup id="cite_ref-distributed-72_23-0" class="reference"><a href="#cite_note-distributed-72-23"><span class="cite-bracket">[</span>23<span class="cite-bracket">]</span></a></sup> Due to currently understood limitations from fundamental physics, there is no expectation that any <a href="/wiki/Digital_computer" class="mw-redirect" title="Digital computer">digital computer</a> (or combination) will be capable of breaking 256-bit encryption via a brute-force attack.<sup id="cite_ref-schneier-cyptogram_24-0" class="reference"><a href="#cite_note-schneier-cyptogram-24"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup> Whether or not <a href="/wiki/Quantum_computers" class="mw-redirect" title="Quantum computers">quantum computers</a> will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.<sup id="cite_ref-25" class="reference"><a href="#cite_note-25"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Guidelines_for_strong_passwords">Guidelines for strong passwords</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=9" title="Edit section: Guidelines for strong passwords"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1251242444">.mw-parser-output .ambox{border:1px solid #a2a9b1;border-left:10px solid #36c;background-color:#fbfbfb;box-sizing:border-box}.mw-parser-output .ambox+link+.ambox,.mw-parser-output .ambox+link+style+.ambox,.mw-parser-output .ambox+link+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+style+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+link+.ambox{margin-top:-1px}html body.mediawiki .mw-parser-output .ambox.mbox-small-left{margin:4px 1em 4px 0;overflow:hidden;width:238px;border-collapse:collapse;font-size:88%;line-height:1.25em}.mw-parser-output .ambox-speedy{border-left:10px solid #b32424;background-color:#fee7e6}.mw-parser-output .ambox-delete{border-left:10px solid #b32424}.mw-parser-output .ambox-content{border-left:10px solid #f28500}.mw-parser-output .ambox-style{border-left:10px solid #fc3}.mw-parser-output .ambox-move{border-left:10px solid #9932cc}.mw-parser-output .ambox-protection{border-left:10px solid #a2a9b1}.mw-parser-output .ambox .mbox-text{border:none;padding:0.25em 0.5em;width:100%}.mw-parser-output .ambox .mbox-image{border:none;padding:2px 0 2px 0.5em;text-align:center}.mw-parser-output .ambox .mbox-imageright{border:none;padding:2px 0.5em 2px 0;text-align:center}.mw-parser-output .ambox .mbox-empty-cell{border:none;padding:0;width:1px}.mw-parser-output .ambox .mbox-image-div{width:52px}@media(min-width:720px){.mw-parser-output .ambox{margin:0 10%}}@media print{body.ns-0 .mw-parser-output .ambox{display:none!important}}</style><table class="box-Howto plainlinks metadata ambox ambox-content" role="presentation"><tbody><tr><td class="mbox-image"><div class="mbox-image-div"><span typeof="mw:File"><span><img alt="" src="//upload.wikimedia.org/wikipedia/en/thumb/b/b4/Ambox_important.svg/40px-Ambox_important.svg.png" decoding="async" width="40" height="40" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/b/b4/Ambox_important.svg/60px-Ambox_important.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/b/b4/Ambox_important.svg/80px-Ambox_important.svg.png 2x" data-file-width="40" data-file-height="40" /></span></span></div></td><td class="mbox-text"><div class="mbox-text-span">This article <b>contains <a href="/wiki/Wikipedia:What_Wikipedia_is_not#NOTHOWTO" title="Wikipedia:What Wikipedia is not">instructions, advice, or how-to content</a></b>.<span class="hide-when-compact"> Please help <a class="external text" href="https://en.wikipedia.org/w/index.php?title=Password_strength&action=edit">rewrite the content</a> so that it is more encyclopedic or <a href="https://meta.wikimedia.org/wiki/Help:Transwiki" class="extiw" title="m:Help:Transwiki">move</a> it to <a href="https://en.wikiversity.org/wiki/" class="extiw" title="v:">Wikiversity</a>, <a href="https://en.wikibooks.org/wiki/" class="extiw" title="b:">Wikibooks</a>, or <a href="https://en.wikivoyage.org/wiki/" class="extiw" title="voy:">Wikivoyage</a>.</span> <span class="date-container"><i>(<span class="date">January 2022</span>)</i></span></div></td></tr></tbody></table> <div class="mw-heading mw-heading3"><h3 id="Common_guidelines">Common guidelines</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=10" title="Edit section: Common guidelines"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Guidelines for choosing good passwords are typically designed to make passwords harder to discover by intelligent guessing. Common guidelines advocated by proponents of software system security have included:<sup id="cite_ref-26" class="reference"><a href="#cite_note-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-schneier07_27-0" class="reference"><a href="#cite_note-schneier07-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">[</span>28<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-UMD01_29-0" class="reference"><a href="#cite_note-UMD01-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-Bidwell000_30-0" class="reference"><a href="#cite_note-Bidwell000-30"><span class="cite-bracket">[</span>30<span class="cite-bracket">]</span></a></sup> </p> <ul><li>Consider a minimum password length of 8<sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">[</span>31<span class="cite-bracket">]</span></a></sup> characters as a general guide. Both the US and UK cyber security departments recommend long and easily memorable passwords over short complex ones.<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">[</span>32<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-33" class="reference"><a href="#cite_note-33"><span class="cite-bracket">[</span>33<span class="cite-bracket">]</span></a></sup></li> <li>Generate passwords randomly where feasible.</li> <li>Avoid using the same password twice (e.g. across multiple user accounts and/or software systems).</li> <li>Avoid character repetition, keyboard patterns, dictionary words, and sequential letters or numbers.</li> <li>Avoid using information that is or might become publicly associated with the user or the account, such as the user name, ancestors' names, or dates.</li> <li>Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relatives or pet names, romantic links (current or past), and biographical information (e.g. ID numbers, ancestors' names or dates).</li> <li>Do not use passwords that consist wholly of any simple combination of the aforementioned weak components.</li></ul> <p>Forcing the inclusion of lowercase letters, uppercase letters, numbers, and symbols in passwords was a common policy but has been found to decrease security, by making it easier to crack. Research has shown how predictable the common use of such symbols are, and the US<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">[</span>34<span class="cite-bracket">]</span></a></sup> and UK<sup id="cite_ref-35" class="reference"><a href="#cite_note-35"><span class="cite-bracket">[</span>35<span class="cite-bracket">]</span></a></sup> government cyber security departments advise against forcing their inclusion in password policy. Complex symbols also make remembering passwords much harder, which increases writing down, password resets, and password reuse – all of which lower rather than improve password security. The original author of password complexity rules, Bill Burr, has apologized and admits they decrease security, as research has found; this was widely reported in the media in 2017.<sup id="cite_ref-tesla.tours_36-0" class="reference"><a href="#cite_note-tesla.tours-36"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup> Online security researchers<sup id="cite_ref-37" class="reference"><a href="#cite_note-37"><span class="cite-bracket">[</span>37<span class="cite-bracket">]</span></a></sup> and consultants are also supportive of the change<sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">[</span>38<span class="cite-bracket">]</span></a></sup> in best practice advice on passwords. </p><p>Some guidelines advise against writing passwords down, while others, noting the large numbers of password-protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, not attached to a monitor or in an unlocked desk drawer.<sup id="cite_ref-schneier.com_39-0" class="reference"><a href="#cite_note-schneier.com-39"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup> Use of a <a href="/wiki/Password_manager" title="Password manager">password manager</a> is recommended by the NCSC.<sup id="cite_ref-National_Cyber_Security_Centre_40-0" class="reference"><a href="#cite_note-National_Cyber_Security_Centre-40"><span class="cite-bracket">[</span>40<span class="cite-bracket">]</span></a></sup> </p><p>The possible character set for a password can be constrained by different websites or by the range of keyboards on which the password must be entered.<sup id="cite_ref-41" class="reference"><a href="#cite_note-41"><span class="cite-bracket">[</span>41<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Examples_of_weak_passwords">Examples of weak passwords</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=11" title="Edit section: Examples of weak passwords"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">See also: <a href="/wiki/Password_cracking" title="Password cracking">Password cracking</a> and <a href="/wiki/List_of_the_most_common_passwords" title="List of the most common passwords">List of the most common passwords</a></div> <p>As with any security measure, passwords vary in strength; some are weaker than others. For example, the difference in strength between a dictionary word and a word with obfuscation (e.g. letters in the password are substituted by, say, numbers — a common approach) may cost a password-cracking device a few more seconds; this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds.:<sup id="cite_ref-perfect_12-1" class="reference"><a href="#cite_note-perfect-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p> <ul><li><a href="/wiki/Default_password" title="Default password">Default passwords</a> (as supplied by the system vendor and meant to be changed at installation time): <i>password</i>, <i>default</i>, <i>admin</i>, <i>guest</i>, etc. Lists of default passwords are widely available on the internet.</li> <li>Reused passwords: Passwords should be unique to a particular account. Altering reused passwords, such as changing a few letters or numbers, does not provide sufficient security.</li> <li>Dictionary words: <i>chameleon</i>, <i>RedSox</i>, <i>sandbags</i>, <i>bunnyhop!</i>, <i>IntenseCrabtree</i>, etc., including words in non-English dictionaries.</li> <li>Words with numbers appended: <i>password1</i>, <i>deer2000</i>, <i>john1234</i>, etc., can be easily tested automatically with little lost time.</li> <li><a href="/wiki/Munged_password" title="Munged password">Munged passwords</a> (words with simple obfuscation): <i>p@ssw0rd</i>, <i>l33th4x0r</i>, <i>g0ldf1sh</i>, etc., can be tested automatically with little additional effort. For example, a domain administrator password compromised in the <a href="/wiki/DigiNotar" title="DigiNotar">DigiNotar</a> attack was reportedly <i>Pr0d@dm1n.</i><sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">[</span>42<span class="cite-bracket">]</span></a></sup></li> <li>Doubled words: <i>crabcrab</i>, <i>stopstop</i>, <i>treetree</i>, <i>passpass</i>, etc.</li> <li>Common sequences from a keyboard row: <i>qwerty</i>, <i>123456</i>, <i>asdfgh</i>, etc. including diagonal or backward sequences (qazplm, ytrewq, etc).</li> <li>Numeric sequences based on well known numbers such as 911 <sup>(<a href="/wiki/9-1-1" class="mw-redirect" title="9-1-1">9-1-1</a>, <a href="/wiki/September_11_attacks" title="September 11 attacks">9/11</a>)</sup>, 314159... <sup>(<a href="/wiki/Pi" title="Pi">pi</a>)</sup>, 27182... <sup>(<a href="/wiki/E_(mathematical_constant)" title="E (mathematical constant)">e</a>)</sup>, 112 <sup>(<a href="/wiki/112_(emergency_telephone_number)" title="112 (emergency telephone number)">1-1-2</a>)</sup>, etc.</li> <li>Identifiers: <i>jsmith123</i>, <i>1/1/1970</i>, <i>555–1234</i>, one's username, etc.</li> <li>Weak passwords in non-English languages, such as contraseña (Spanish) and ji32k7au4a83 (bopomofo keyboard encoding from Chinese)<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">[</span>43<span class="cite-bracket">]</span></a></sup></li> <li>Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of a person's details.</li> <li>Dates: dates follow a pattern and make your password weak.</li> <li>Names of well-known locations: New York, Texas, China, London, etc.</li> <li>Names of brands, celebrities, sports teams, musical groups, TV shows, movies, etc.</li> <li>Short passwords: Even if a password doesn't have any of the weaknesses listed above, if it is too short, it can be easily cracked.</li></ul> <p>There are many other ways a password can be weak,<sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">[</span>44<span class="cite-bracket">]</span></a></sup> corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and <i>not</i> be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user. Online services often provide a restore password function that a hacker can figure out and by doing so bypass a password. </p> <div class="mw-heading mw-heading3"><h3 id="Rethinking_password_change_guidelines">Rethinking password change guidelines</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=12" title="Edit section: Rethinking password change guidelines"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In the landscape of 2012, as delineated by <a href="/wiki/William_Cheswick" title="William Cheswick">William Cheswick</a> in an article for ACM magazine, password security predominantly emphasized an alpha-numeric password of eight characters or more. Such a password, it was deduced, could resist ten million attempts per second for a duration of 252 days. However, with the assistance of contemporary GPUs at the time, this period was truncated to just about 9 hours, given a cracking rate of 7 billion attempts per second. A 13-character password was estimated to withstand GPU-computed attempts for over 900,000 years.<sup id="cite_ref-45" class="reference"><a href="#cite_note-45"><span class="cite-bracket">[</span>45<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-46" class="reference"><a href="#cite_note-46"><span class="cite-bracket">[</span>46<span class="cite-bracket">]</span></a></sup> </p><p>In the context of 2023 hardware technology, the 2012 standard of an eight-character alpha-numeric password has become vulnerable, succumbing in a few hours. The time needed to crack a 13-character password is reduced to a few years. The current emphasis, thus, has shifted. Password strength is now gauged not just by its complexity but its length, with recommendations leaning towards passwords comprising at least 13-16 characters. This era has also seen the rise of Multi-Factor Authentication (MFA) as a crucial fortification measure. The advent and widespread adoption of password managers have further aided users in cultivating and maintaining an array of strong, unique passwords.<sup id="cite_ref-47" class="reference"><a href="#cite_note-47"><span class="cite-bracket">[</span>47<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Password_policy">Password policy</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=13" title="Edit section: Password policy"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Password_policy" title="Password policy">Password policy</a></div> <p>A password policy is a guide to choosing satisfactory passwords. It is intended to: </p> <ul><li>assist users in choosing strong passwords</li> <li>ensure the passwords are suited to the target population</li> <li>Provide recommendations for users concerning the handling of their passwords</li> <li>impose a recommendation to change any password which has been lost or suspected of compromise</li> <li>use a <a href="/wiki/Blacklist_(computing)#Usernames_and_passwords" title="Blacklist (computing)">password blacklist</a> to block the use of weak or easily guessed passwords.</li></ul> <p>Previous password policies used to prescribe the characters which passwords must contain, such as numbers, symbols, or upper/lower case. While this is still in use, it has been debunked as less secure by university research,<sup id="cite_ref-48" class="reference"><a href="#cite_note-48"><span class="cite-bracket">[</span>48<span class="cite-bracket">]</span></a></sup> by the original instigator<sup id="cite_ref-49" class="reference"><a href="#cite_note-49"><span class="cite-bracket">[</span>49<span class="cite-bracket">]</span></a></sup> of this policy, and by the cyber security departments (and other related government security bodies<sup id="cite_ref-50" class="reference"><a href="#cite_note-50"><span class="cite-bracket">[</span>50<span class="cite-bracket">]</span></a></sup>) of USA<sup id="cite_ref-51" class="reference"><a href="#cite_note-51"><span class="cite-bracket">[</span>51<span class="cite-bracket">]</span></a></sup> and UK.<sup id="cite_ref-52" class="reference"><a href="#cite_note-52"><span class="cite-bracket">[</span>52<span class="cite-bracket">]</span></a></sup> Password complexity rules of enforced symbols were previously used by major platforms such as Google<sup id="cite_ref-53" class="reference"><a href="#cite_note-53"><span class="cite-bracket">[</span>53<span class="cite-bracket">]</span></a></sup> and Facebook,<sup id="cite_ref-54" class="reference"><a href="#cite_note-54"><span class="cite-bracket">[</span>54<span class="cite-bracket">]</span></a></sup> but these have removed the requirement following the discovery that they actually reduced security. This is because the human element is a far greater risk than cracking, and enforced complexity leads most users to highly predictable patterns (number at the end, swap 3 for E, etc.) which helps crack passwords. So password simplicity and length (passphrases) are the new best practice and complexity is discouraged. Forced complexity rules also increase support costs, and user friction and discourage user signups. </p><p>Password expiration was in some older password policies but has been debunked<sup id="cite_ref-tesla.tours_36-1" class="reference"><a href="#cite_note-tesla.tours-36"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup> as best practice and is not supported by USA or UK governments, or Microsoft which removed<sup id="cite_ref-55" class="reference"><a href="#cite_note-55"><span class="cite-bracket">[</span>55<span class="cite-bracket">]</span></a></sup> the password expiry feature. Password expiration was previously trying to serve two purposes:<sup id="cite_ref-LOPSA_56-0" class="reference"><a href="#cite_note-LOPSA-56"><span class="cite-bracket">[</span>56<span class="cite-bracket">]</span></a></sup> </p> <ul><li>If the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.</li> <li>If a password has been compromised, requiring it to be changed regularly may limit the access time for the attacker.</li></ul> <p>However, password expiration has its drawbacks:<sup id="cite_ref-WEB_57-0" class="reference"><a href="#cite_note-WEB-57"><span class="cite-bracket">[</span>57<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-CERIAS_58-0" class="reference"><a href="#cite_note-CERIAS-58"><span class="cite-bracket">[</span>58<span class="cite-bracket">]</span></a></sup> </p> <ul><li>Asking users to change passwords frequently encourages simple, weak passwords.</li> <li>If one has a truly strong password, there is little point in changing it. Changing passwords that are already strong introduces a risk that the new password may be less strong.</li> <li>A compromised password is likely to be used immediately by an attacker to install a <a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">backdoor</a>, often via <a href="/wiki/Privilege_escalation" title="Privilege escalation">privilege escalation</a>. Once this is accomplished, password changes won't prevent future attackers from accessing them.</li> <li>Moving from never changing one's password to changing the password on every authenticate attempt (pass <i>or</i> fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack. One gains <i>much</i> more security by just increasing the password length by one character than changing the password on every use.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="Not in the references. This is certainly not true if the passwords are truely randomly generated. (June 2024)">citation needed</span></a></i>]</sup></li></ul> <div class="mw-heading mw-heading3"><h3 id="Creating_and_handling_passwords">Creating and handling passwords</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=14" title="Edit section: Creating and handling passwords"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The hardest passwords to crack, for a given length and character set, are random character strings; if long enough they resist brute force attacks (because there are many characters) and guessing attacks (due to high entropy). However, such passwords are typically the hardest to remember. The imposition of a requirement for such passwords in a password policy may encourage users to write them down, store them in <a href="/wiki/Mobile_device" title="Mobile device">mobile devices</a>, or share them with others as a safeguard against memory failure. While some people consider each of these user resorts to increase security risks, others suggest the absurdity of expecting users to remember distinct complex passwords for each of the dozens of accounts they access. For example, in 2005, security expert <a href="/wiki/Bruce_Schneier" title="Bruce Schneier">Bruce Schneier</a> recommended writing down one's password: </p> <style data-mw-deduplicate="TemplateStyles:r1244412712">.mw-parser-output .templatequote{overflow:hidden;margin:1em 0;padding:0 32px}.mw-parser-output .templatequotecite{line-height:1.5em;text-align:left;margin-top:0}@media(min-width:500px){.mw-parser-output .templatequotecite{padding-left:1.6em}}</style><blockquote class="templatequote"><p>Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.<sup id="cite_ref-schneier.com_39-1" class="reference"><a href="#cite_note-schneier.com-39"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup></p></blockquote> <p>The following measures may increase acceptance of strong password requirements if carefully used: </p> <ul><li>a training program. Also, updated training for those who fail to follow the password policy (lost passwords, inadequate passwords, etc.).</li> <li>rewarding strong password users by reducing the rate, or eliminating, the need for password changes (password expiration). The strength of user-chosen passwords can be estimated by automatic programs which inspect and evaluate proposed passwords when setting or changing a password.</li> <li>displaying to each user the last login date and time in the hope that the user may notice unauthorized access, suggesting a compromised password.</li> <li>allowing users to reset their passwords via an automatic system, which reduces help desk call volume. However, some systems are themselves insecure; for instance, easily guessed or researched answers to password reset questions bypass the advantages of a strong password system.</li> <li>using randomly generated passwords that do not allow users to choose their passwords, or at least offering randomly generated passwords as an option.</li></ul> <div class="mw-heading mw-heading3"><h3 id="Memory_techniques">Memory techniques</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=15" title="Edit section: Memory techniques"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Password policies sometimes suggest <a href="/wiki/Memory_improvement" title="Memory improvement">memory techniques</a> to assist remembering passwords: </p> <ul><li>mnemonic passwords: Some users develop <a href="/wiki/Mnemonic" title="Mnemonic">mnemonic</a> phrases and use them to generate more or less random passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Research estimates the password strength of such passwords to be about 3.7 bits per character, compared to the 6.6 bits for random passwords from ASCII printable characters.<sup id="cite_ref-59" class="reference"><a href="#cite_note-59"><span class="cite-bracket">[</span>59<span class="cite-bracket">]</span></a></sup> Silly ones are possibly more memorable.<sup id="cite_ref-60" class="reference"><a href="#cite_note-60"><span class="cite-bracket">[</span>60<span class="cite-bracket">]</span></a></sup> Another way to make random-appearing passwords more memorable is to use random words (see <a href="/wiki/Diceware" title="Diceware">diceware</a>) or syllables instead of randomly chosen letters.</li> <li>after-the-fact mnemonics: After the password has been established, invent a mnemonic that fits.<sup id="cite_ref-61" class="reference"><a href="#cite_note-61"><span class="cite-bracket">[</span>61<span class="cite-bracket">]</span></a></sup> It does not have to be reasonable or sensible, only memorable. This allows passwords to be random.</li> <li>visual representations of passwords: a password is memorized based on a sequence of keys pressed, not the values of the keys themselves, e.g. a sequence !qAsdE#2 represents a <a href="/wiki/Rhomboid" title="Rhomboid">rhomboid</a> on a US keyboard. The method to produce such passwords is called PsychoPass.<sup id="cite_ref-:10_62-0" class="reference"><a href="#cite_note-:10-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> Passwords produced by this method are much weaker than their length suggests, since successive keys are not independent and common keyboard sequences are included in password dictionaries. But some improvements can be made.<sup id="cite_ref-63" class="reference"><a href="#cite_note-63"><span class="cite-bracket">[</span>63<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-64" class="reference"><a href="#cite_note-64"><span class="cite-bracket">[</span>64<span class="cite-bracket">]</span></a></sup></li> <li>password patterns: Any pattern in a password makes guessing (automated or not) easier and reduces an attacker's work factor. <ul><li>For example, passwords of the following case-insensitive form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example <i>pinray45</i>) are called Environ passwords. The pattern of alternating vowel and consonant characters was intended to make passwords more likely to be pronounceable and thus more memorable. Such patterns severely reduce the password's <a href="/wiki/Information_entropy" class="mw-redirect" title="Information entropy">information entropy</a>, making <a href="/wiki/Brute_force_attack" class="mw-redirect" title="Brute force attack">brute force</a> password attacks considerably more efficient. In the UK in October 2005, employees of <a href="/wiki/Departments_of_the_United_Kingdom_Government" class="mw-redirect" title="Departments of the United Kingdom Government">the British government</a> were advised to use passwords in this form.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (January 2012)">citation needed</span></a></i>]</sup></li></ul></li></ul> <div class="mw-heading mw-heading2"><h2 id="Password_managers">Password managers</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=16" title="Edit section: Password managers"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Password_manager" title="Password manager">Password manager</a></div> <p>A reasonable compromise for using large numbers of passwords is to record them in a password manager program, which include stand-alone applications, web browser extensions, or a manager built into the operating system. A password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database.<sup id="cite_ref-65" class="reference"><a href="#cite_note-65"><span class="cite-bracket">[</span>65<span class="cite-bracket">]</span></a></sup> Needless to say, this single password should be strong and well-protected (not recorded anywhere). Most password managers can automatically create strong passwords using a cryptographically secure <a href="/wiki/Random_password_generator" title="Random password generator">random password generator</a>, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as <a href="/wiki/Key_logging" class="mw-redirect" title="Key logging">key logging</a>, clipboard logging and various other memory spying techniques. </p> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=17" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Keystroke_logging" title="Keystroke logging">Keystroke logging</a></li> <li><a href="/wiki/Passphrase" title="Passphrase">Passphrase</a></li> <li><a href="/wiki/Phishing" title="Phishing">Phishing</a></li> <li><a href="/wiki/Vulnerability_(computing)" class="mw-redirect" title="Vulnerability (computing)">Vulnerability (computing)</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=18" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist"> <div class="mw-references-wrap mw-references-columns"><ol class="references"> <li id="cite_note-CERT-1"><span class="mw-cite-backlink"><b><a href="#cite_ref-CERT_1-0">^</a></b></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.us-cert.gov/cas/tips/ST04-002.html">"Cyber Security Tip ST04-002"</a>. <i>Choosing and Protecting Passwords</i>. US CERT. 21 May 2009. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20090707141138/http://www.us-cert.gov/cas/tips/ST04-002.html">Archived</a> from the original on July 7, 2009<span class="reference-accessdate">. Retrieved <span class="nowrap">June 20,</span> 2009</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Choosing+and+Protecting+Passwords&rft.atitle=Cyber+Security+Tip+ST04-002&rft.date=2009-05-21&rft_id=http%3A%2F%2Fwww.us-cert.gov%2Fcas%2Ftips%2FST04-002.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.securityweek.com/why-user-names-and-passwords-are-not-enough">"Why User Names and Passwords Are Not Enough | SecurityWeek.Com"</a>. <i>www.securityweek.com</i>. 31 January 2019<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-10-31</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.securityweek.com&rft.atitle=Why+User+Names+and+Passwords+Are+Not+Enough+%7C+SecurityWeek.Com&rft.date=2019-01-31&rft_id=https%3A%2F%2Fwww.securityweek.com%2Fwhy-user-names-and-passwords-are-not-enough&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.bbc.com/news/technology-47974583">"Millions using 123456 as password, security study finds"</a>. <i>BBC News</i>. 21 April 2019<span class="reference-accessdate">. Retrieved <span class="nowrap">24 April</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=BBC+News&rft.atitle=Millions+using+123456+as+password%2C+security+study+finds&rft.date=2019-04-21&rft_id=https%3A%2F%2Fwww.bbc.com%2Fnews%2Ftechnology-47974583&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-NIST-4"><span class="mw-cite-backlink">^ <a href="#cite_ref-NIST_4-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-NIST_4-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-NIST_4-2"><sup><i><b>c</b></i></sup></a> <a href="#cite_ref-NIST_4-3"><sup><i><b>d</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20040712152833/http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf">"SP 800-63 – Electronic Authentication Guideline"</a> <span class="cs1-format">(PDF)</span>. NIST. Archived from <a rel="nofollow" class="external text" href="http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf">the original</a> <span class="cs1-format">(PDF)</span> on July 12, 2004<span class="reference-accessdate">. Retrieved <span class="nowrap">April 20,</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=SP+800-63+%E2%80%93+Electronic+Authentication+Guideline&rft.pub=NIST&rft_id=http%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fnistpubs%2F800-63%2FSP800-63v6_3_3.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-gtri-5"><span class="mw-cite-backlink">^ <a href="#cite_ref-gtri_5-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-gtri_5-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System">"Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World's Password Security System"</a>. <a href="/wiki/Georgia_Tech_Research_Institute" title="Georgia Tech Research Institute">Georgia Tech Research Institute</a>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20101230063449/http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System">Archived</a> from the original on 2010-12-30<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Teraflop+Troubles%3A+The+Power+of+Graphics+Processing+Units+May+Threaten+the+World%27s+Password+Security+System&rft.pub=Georgia+Tech+Research+Institute&rft_id=http%3A%2F%2Fwww.gtri.gatech.edu%2Fcasestudy%2FTeraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-belenko-6"><span class="mw-cite-backlink"><b><a href="#cite_ref-belenko_6-0">^</a></b></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1041539562">.mw-parser-output .citation{word-wrap:break-word}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}</style><span class="citation patent" id="CITEREFAndrey_V._Belenko2011"><a rel="nofollow" class="external text" href="https://worldwide.espacenet.com/textdoc?DB=EPODOC&IDX=US7929707">US patent 7929707</a>, Andrey V. Belenko, "Use of graphics processors as parallel math co-processors for password recovery", issued 2011-04-19,  assigned to Elcomsoft Co. Ltd.</span><span class="Z3988" title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Apatent&rft.number=7929707&rft.cc=US&rft.title=Use+of+graphics+processors+as+parallel+math+co-processors+for+password+recovery&rft.inventor=Andrey+V.+Belenko&rft.assignee=Elcomsoft+Co.+Ltd.&rft.date=2011-04-19"><span style="display: none;"> </span></span></span> </li> <li id="cite_note-elcomsoft-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-elcomsoft_7-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.elcomsoft.com/eprb.html#gpu">Elcomsoft.com</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20061017173506/http://www.elcomsoft.com/eprb.html">Archived</a> 2006-10-17 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, <a href="/wiki/ElcomSoft" title="ElcomSoft">ElcomSoft</a> Password Recovery Speed table, <a href="/wiki/NTLM" title="NTLM">NTLM</a> passwords, <a href="/wiki/Nvidia_Tesla" title="Nvidia Tesla">Nvidia Tesla</a> S1070 GPU, accessed 2011-02-01</span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.elcomsoft.com/ewsa.html">Elcomsoft Wireless Security Auditor, HD5970 GPU</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110219131825/http://www.elcomsoft.com/ewsa.html">Archived</a> 2011-02-19 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> accessed 2011-02-11</span> </li> <li id="cite_note-9"><span class="mw-cite-backlink"><b><a href="#cite_ref-9">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFJames_Massey1994" class="citation conference cs1"><a href="/wiki/James_Massey" title="James Massey">James Massey</a> (1994). <a rel="nofollow" class="external text" href="http://www.isiweb.ee.ethz.ch/archive/massey_pub/pdf/BI633.pdf">"Guessing and entropy"</a> <span class="cs1-format">(PDF)</span>. <i>Proceedings of 1994 IEEE International Symposium on Information Theory</i>. IEEE. p. 204.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.atitle=Guessing+and+entropy&rft.btitle=Proceedings+of+1994+IEEE+International+Symposium+on+Information+Theory&rft.pages=204&rft.pub=IEEE&rft.date=1994&rft.au=James+Massey&rft_id=http%3A%2F%2Fwww.isiweb.ee.ethz.ch%2Farchive%2Fmassey_pub%2Fpdf%2FBI633.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-10">^</a></b></span> <span class="reference-text">Schneier, B: <i>Applied Cryptography</i>, 2e, page 233 ff. John Wiley and Sons.</span> </li> <li id="cite_note-11"><span class="mw-cite-backlink"><b><a href="#cite_ref-11">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="ACM_978-1-59593-654-7/07/0005." class="citation book cs1">Florencio, Dinei; Herley, Cormac (May 8, 2007). <a rel="nofollow" class="external text" href="http://research.microsoft.com/pubs/74164/www2007.pdf">"A large-scale study of web password habits"</a> <span class="cs1-format">(PDF)</span>. <i>Proceedings of the 16th international conference on World Wide Web</i>. p. 657. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F1242572.1242661">10.1145/1242572.1242661</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/9781595936547" title="Special:BookSources/9781595936547"><bdi>9781595936547</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:10648989">10648989</a>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20150327031521/http://research.microsoft.com/pubs/74164/www2007.pdf">Archived</a> <span class="cs1-format">(PDF)</span> from the original on March 27, 2015.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=A+large-scale+study+of+web+password+habits&rft.btitle=Proceedings+of+the+16th+international+conference+on+World+Wide+Web&rft.pages=657&rft.date=2007-05-08&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A10648989%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1145%2F1242572.1242661&rft.isbn=9781595936547&rft.aulast=Florencio&rft.aufirst=Dinei&rft.au=Herley%2C+Cormac&rft_id=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F74164%2Fwww2007.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-perfect-12"><span class="mw-cite-backlink">^ <a href="#cite_ref-perfect_12-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-perfect_12-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBurnett2006" class="citation book cs1">Burnett, Mark (2006). <a href="/wiki/Dave_Kleiman" title="Dave Kleiman">Kleiman, Dave</a> (ed.). <i>Perfect Passwords</i>. Rockland, Massachusetts: Syngress Publishing. p. 181. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59749-041-2" title="Special:BookSources/978-1-59749-041-2"><bdi>978-1-59749-041-2</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Perfect+Passwords&rft.place=Rockland%2C+Massachusetts&rft.pages=181&rft.pub=Syngress+Publishing&rft.date=2006&rft.isbn=978-1-59749-041-2&rft.aulast=Burnett&rft.aufirst=Mark&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-myspace-passwords-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-myspace-passwords_13-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBruce_Schneier2006" class="citation news cs1">Bruce Schneier (December 14, 2006). <a rel="nofollow" class="external text" href="http://archive.wired.com/politics/security/commentary/securitymatters/2006/12/72300?currentPage=all">"MySpace Passwords aren't so Dumb"</a>. Wired Magazine. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20140521031354/http://archive.wired.com/politics/security/commentary/securitymatters/2006/12/72300?currentPage=all">Archived</a> from the original on May 21, 2014<span class="reference-accessdate">. Retrieved <span class="nowrap">April 11,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=MySpace+Passwords+aren%27t+so+Dumb&rft.date=2006-12-14&rft.au=Bruce+Schneier&rft_id=http%3A%2F%2Farchive.wired.com%2Fpolitics%2Fsecurity%2Fcommentary%2Fsecuritymatters%2F2006%2F12%2F72300%3FcurrentPage%3Dall&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-14">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://beinternetawesome.withgoogle.com/en_us/interland/">"Play Interland - Be Internet Awesome"</a>. <i>Play Interland - Be Internet Awesome</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-09-10</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Play+Interland+-+Be+Internet+Awesome&rft.atitle=Play+Interland+-+Be+Internet+Awesome&rft_id=https%3A%2F%2Fbeinternetawesome.withgoogle.com%2Fen_us%2Finterland%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-WeirEtAl-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-WeirEtAl_15-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMatt_WeirSusdhir_AggarwalMichael_CollinsHenry_Stern2010" class="citation web cs1">Matt Weir; Susdhir Aggarwal; Michael Collins; Henry Stern (7 October 2010). <a rel="nofollow" class="external text" href="http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html">"Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"</a> <span class="cs1-format">(PDF)</span>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120706124704/http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html">Archived</a> from the original on July 6, 2012<span class="reference-accessdate">. Retrieved <span class="nowrap">March 21,</span> 2012</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Testing+Metrics+for+Password+Creation+Policies+by+Attacking+Large+Sets+of+Revealed+Passwords&rft.date=2010-10-07&rft.au=Matt+Weir&rft.au=Susdhir+Aggarwal&rft.au=Michael+Collins&rft.au=Henry+Stern&rft_id=http%3A%2F%2Freusablesec.blogspot.com%2F2010%2F10%2Fnew-paper-on-password-security-metrics.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://pages.nist.gov/800-63-3">"SP 800-63-3 – Digital Identity Guidelines"</a> <span class="cs1-format">(PDF)</span>. NIST. June 2017. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20170806142240/https://pages.nist.gov/800-63-3/">Archived</a> from the original on August 6, 2017<span class="reference-accessdate">. Retrieved <span class="nowrap">August 6,</span> 2017</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=SP+800-63-3+%E2%80%93+Digital+Identity+Guidelines&rft.pub=NIST&rft.date=2017-06&rft_id=https%3A%2F%2Fpages.nist.gov%2F800-63-3&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-Gartner-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-Gartner_17-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFA._Allan" class="citation web cs1">A. Allan. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20060427032938/http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf">"Passwords are Near the Breaking Point"</a> <span class="cs1-format">(PDF)</span>. Gartner. Archived from <a rel="nofollow" class="external text" href="http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf">the original</a> <span class="cs1-format">(PDF)</span> on April 27, 2006<span class="reference-accessdate">. Retrieved <span class="nowrap">April 10,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Passwords+are+Near+the+Breaking+Point&rft.pub=Gartner&rft.au=A.+Allan&rft_id=http%3A%2F%2Fwww.indevis.de%2Fdokumente%2Fgartner_passwords_breakpoint.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-Schneier-writedown-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-Schneier-writedown_18-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBruce_Schneier" class="citation web cs1">Bruce Schneier. <a rel="nofollow" class="external text" href="http://www.schneier.com/blog/archives/2005/06/write_down_your.html">"Schneier on Security"</a>. <i>Write Down Your Password</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080413032636/http://www.schneier.com/blog/archives/2005/06/write_down_your.html">Archived</a> from the original on April 13, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">April 10,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Write+Down+Your+Password&rft.atitle=Schneier+on+Security&rft.au=Bruce+Schneier&rft_id=http%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2005%2F06%2Fwrite_down_your.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4086"><i>Randomness Requirements for Security</i></a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4086">10.17487/RFC4086</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4086">4086</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Randomness+Requirements+for+Security&rft_id=info%3Adoi%2F10.17487%2FRFC4086&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4086&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-msnbc-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-msnbc_20-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation news cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20130711022009/http://www.nbcnews.com/id/38771772/">"Want to deter hackers? Make your password longer"</a>. <a href="/wiki/NBC_News" title="NBC News">NBC News</a>. 2010-08-19. Archived from <a rel="nofollow" class="external text" href="http://www.nbcnews.com/id/38771772">the original</a> on July 11, 2013<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-11-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Want+to+deter+hackers%3F+Make+your+password+longer&rft.date=2010-08-19&rft_id=http%3A%2F%2Fwww.nbcnews.com%2Fid%2F38771772&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-EFF-deep-crack-21"><span class="mw-cite-backlink"><b><a href="#cite_ref-EFF-deep-crack_21-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100101001853/http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html">"EFF DES Cracker machine brings honesty to crypto debate"</a>. EFF. Archived from <a rel="nofollow" class="external text" href="https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html">the original</a> on January 1, 2010<span class="reference-accessdate">. Retrieved <span class="nowrap">March 27,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=EFF+DES+Cracker+machine+brings+honesty+to+crypto+debate&rft.pub=EFF&rft_id=http%3A%2F%2Fw2.eff.org%2FPrivacy%2FCrypto%2FCrypto_misc%2FDESCracker%2FHTML%2F19980716_eff_descracker_pressrel.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-distributed-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-distributed_22-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20130910051812/http://stats.distributed.net/projects.php?project_id=5">"64-bit key project status"</a>. Distributed.net. Archived from <a rel="nofollow" class="external text" href="http://stats.distributed.net/projects.php?project_id=5">the original</a> on September 10, 2013<span class="reference-accessdate">. Retrieved <span class="nowrap">March 27,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=64-bit+key+project+status&rft.pub=Distributed.net&rft_id=http%3A%2F%2Fstats.distributed.net%2Fprojects.php%3Fproject_id%3D5&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-distributed-72-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-distributed-72_23-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://stats.distributed.net/projects.php?project_id=8">"72-bit key project status"</a>. Distributed.net<span class="reference-accessdate">. Retrieved <span class="nowrap">October 12,</span> 2011</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=72-bit+key+project+status&rft.pub=Distributed.net&rft_id=http%3A%2F%2Fstats.distributed.net%2Fprojects.php%3Fproject_id%3D8&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-schneier-cyptogram-24"><span class="mw-cite-backlink"><b><a href="#cite_ref-schneier-cyptogram_24-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBruce_Schneier" class="citation web cs1">Bruce Schneier. <a rel="nofollow" class="external text" href="http://www.schneier.com/crypto-gram-9902.html">"Snakeoil: Warning Sign #5: Ridiculous key lengths"</a>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080418225248/http://www.schneier.com/crypto-gram-9902.html">Archived</a> from the original on April 18, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">March 27,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Snakeoil%3A+Warning+Sign+%235%3A+Ridiculous+key+lengths&rft.au=Bruce+Schneier&rft_id=http%3A%2F%2Fwww.schneier.com%2Fcrypto-gram-9902.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-25">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://stackoverflow.com/questions/2768807/quantum-computing-and-encryption-breaking">"Quantum Computing and Encryption Breaking"</a>. Stack Overflow. 2011-05-27. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20130521043721/http://stackoverflow.com/questions/2768807/quantum-computing-and-encryption-breaking">Archived</a> from the original on 2013-05-21<span class="reference-accessdate">. Retrieved <span class="nowrap">2013-03-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Quantum+Computing+and+Encryption+Breaking&rft.pub=Stack+Overflow&rft.date=2011-05-27&rft_id=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F2768807%2Fquantum-computing-and-encryption-breaking&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-26"><span class="mw-cite-backlink"><b><a href="#cite_ref-26">^</a></b></span> <span class="reference-text">Microsoft Corporation, <a rel="nofollow" class="external text" href="http://www.microsoft.com/protect/yourself/password/create.mspx">Strong passwords: How to create and use them</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080101132156/http://www.microsoft.com/protect/yourself/password/create.mspx">Archived</a> 2008-01-01 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-schneier07-27"><span class="mw-cite-backlink"><b><a href="#cite_ref-schneier07_27-0">^</a></b></span> <span class="reference-text">Bruce Schneier, <a rel="nofollow" class="external text" href="http://www.schneier.com/blog/archives/2007/01/choosing_secure.html">Choosing Secure Passwords</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080223002450/http://www.schneier.com/blog/archives/2007/01/choosing_secure.html">Archived</a> 2008-02-23 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text">Google, Inc., <a rel="nofollow" class="external text" href="https://www.google.com/accounts/PasswordHelp">How safe is your password?</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080222225549/https://www.google.com/accounts/PasswordHelp">Archived</a> 2008-02-22 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-UMD01-29"><span class="mw-cite-backlink"><b><a href="#cite_ref-UMD01_29-0">^</a></b></span> <span class="reference-text">University of Maryland, <a rel="nofollow" class="external text" href="http://www.cs.umd.edu/faq/Passwords.shtml">Choosing a Good Password</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20140614022254/http://www.cs.umd.edu/faq/Passwords.shtml">Archived</a> 2014-06-14 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-Bidwell000-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-Bidwell000_30-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBidwell2002" class="citation book cs1">Bidwell, Teri (2002). <span class="id-lock-registration" title="Free registration required"><a rel="nofollow" class="external text" href="https://archive.org/details/hackproofingyour0000bidw"><i>Hack Proofing Your Identity in the Information Age</i></a></span>. Syngress Publishing. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-931836-51-7" title="Special:BookSources/978-1-931836-51-7"><bdi>978-1-931836-51-7</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Hack+Proofing+Your+Identity+in+the+Information+Age&rft.pub=Syngress+Publishing&rft.date=2002&rft.isbn=978-1-931836-51-7&rft.aulast=Bidwell&rft.aufirst=Teri&rft_id=https%3A%2F%2Farchive.org%2Fdetails%2Fhackproofingyour0000bidw&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://stealthbits.com/blog/nist-password-guidelines/#:~:text=NIST%20now%20requires%20that%20all,characters%20as%20a%20maximum%20length.">"NIST PASSWORD GUIDELINES IN 2020"</a>. Stealthbits. 18 August 2020<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=NIST+PASSWORD+GUIDELINES+IN+2020&rft.pub=Stealthbits&rft.date=2020-08-18&rft_id=https%3A%2F%2Fstealthbits.com%2Fblog%2Fnist-password-guidelines%2F%23%3A~%3Atext%3DNIST%2520now%2520requires%2520that%2520all%2Ccharacters%2520as%2520a%2520maximum%2520length.&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.ncsc.gov.uk/collection/passwords/updating-your-approach">"Password Policy - Updating your approach"</a>. UK National Cyber Security Centre<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Password+Policy+-+Updating+your+approach&rft.pub=UK+National+Cyber+Security+Centre&rft_id=https%3A%2F%2Fwww.ncsc.gov.uk%2Fcollection%2Fpasswords%2Fupdating-your-approach&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-33">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.cisa.gov/news-events/news/choosing-and-protecting-passwords">"Choosing and Protecting Passwords"</a>. US Cybersecurity & Infrastructure Security Agency (CISA). 2019-11-18<span class="reference-accessdate">. Retrieved <span class="nowrap">2023-10-10</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Choosing+and+Protecting+Passwords&rft.pub=US+Cybersecurity+%26+Infrastructure+Security+Agency+%28CISA%29&rft.date=2019-11-18&rft_id=https%3A%2F%2Fwww.cisa.gov%2Fnews-events%2Fnews%2Fchoosing-and-protecting-passwords&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity">"Digital Identity Guidelines"</a>. USA National Institute for Standards and Technology<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Digital+Identity+Guidelines&rft.pub=USA+National+Institute+for+Standards+and+Technology&rft_id=https%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63b.html%23a3-complexity&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-35">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.ncsc.gov.uk/collection/passwords/updating-your-approach">"Password administration for system owners"</a>. UK National Cyber Security Centre<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Password+administration+for+system+owners&rft.pub=UK+National+Cyber+Security+Centre&rft_id=https%3A%2F%2Fwww.ncsc.gov.uk%2Fcollection%2Fpasswords%2Fupdating-your-approach&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-tesla.tours-36"><span class="mw-cite-backlink">^ <a href="#cite_ref-tesla.tours_36-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-tesla.tours_36-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.tesla.tours/campaigns/password-rules#h.8jxqtu8i7po2">"Password Rules - Founder of Password Complexity Says SORRY!"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Password+Rules+-+Founder+of+Password+Complexity+Says+SORRY%21&rft_id=https%3A%2F%2Fwww.tesla.tours%2Fcampaigns%2Fpassword-rules%23h.8jxqtu8i7po2&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-37">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://cups.cs.cmu.edu/passwords.html">"CyLab Usable Privacy and Security Laboratory (CUPS)"</a>. Carnegie Mellon University (USA)<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=CyLab+Usable+Privacy+and+Security+Laboratory+%28CUPS%29&rft.pub=Carnegie+Mellon+University+%28USA%29&rft_id=http%3A%2F%2Fcups.cs.cmu.edu%2Fpasswords.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBruce" class="citation web cs1">Bruce, Schneier. <a rel="nofollow" class="external text" href="https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html">"Changes in Password Best Practices"</a>. Schneier on Security<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Changes+in+Password+Best+Practices&rft.pub=Schneier+on+Security&rft.aulast=Bruce&rft.aufirst=Schneier&rft_id=https%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2017%2F10%2Fchanges_in_pass.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-schneier.com-39"><span class="mw-cite-backlink">^ <a href="#cite_ref-schneier.com_39-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-schneier.com_39-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.schneier.com/blog/archives/2005/06/write_down_your.html">"Write Down Your Password - Schneier on Security"</a>. <i>www.schneier.com</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080413032636/http://www.schneier.com/blog/archives/2005/06/write_down_your.html">Archived</a> from the original on 2008-04-13.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.schneier.com&rft.atitle=Write+Down+Your+Password+-+Schneier+on+Security&rft_id=http%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2005%2F06%2Fwrite_down_your.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-National_Cyber_Security_Centre-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-National_Cyber_Security_Centre_40-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers">"What does the NCSC think of password managers?"</a>. <i>www.ncsc.gov.uk</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20190305053922/https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers">Archived</a> from the original on 2019-03-05.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.ncsc.gov.uk&rft.atitle=What+does+the+NCSC+think+of+password+managers%3F&rft_id=https%3A%2F%2Fwww.ncsc.gov.uk%2Fblog-post%2Fwhat-does-ncsc-think-password-managers&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-41">^</a></b></span> <span class="reference-text">e.g. for a keyboard with only 17 nonalphanumeric characters, see one for a BlackBerry phone in <a rel="nofollow" class="external text" href="http://www.hardwaresecrets.com/fullimage.php?image=18705">an enlarged image</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110406121058/http://www.hardwaresecrets.com/fullimage.php?image=18705">Archived</a> 2011-04-06 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> in support of <a rel="nofollow" class="external text" href="http://www.hardwaresecrets.com/article/795/2">Sandy Berger, <i>BlackBerry Tour 9630 (Verizon) Cell Phone Review</i>, in Hardware Secrets (August 31, 2009)</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110406121111/http://www.hardwaresecrets.com/article/795/2">Archived</a> April 6, 2011, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, both as accessed January 19, 2010. That some websites don’t allow nonalphanumerics is indicated by <a rel="nofollow" class="external text" href="http://forums.theregister.co.uk/post/527230">Kanhef, <i>Idiots, For Different Reasons</i> (June 30, 2009) (topic post)</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110406121058/http://forums.theregister.co.uk/post/527230">Archived</a> April 6, 2011, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, as accessed January 20, 2010.</span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://thehackernews.com/2011/09/comodohacker-responsible-for-diginotar.html">"ComodoHacker responsible for DigiNotar Attack – Hacking News"</a>. Thehackernews.com. 2011-09-06. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20130517204022/http://thehackernews.com/2011/09/comodohacker-responsible-for-diginotar.html">Archived</a> from the original on 2013-05-17<span class="reference-accessdate">. Retrieved <span class="nowrap">2013-03-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=ComodoHacker+responsible+for+DigiNotar+Attack+%E2%80%93+Hacking+News&rft.pub=Thehackernews.com&rft.date=2011-09-06&rft_id=http%3A%2F%2Fthehackernews.com%2F2011%2F09%2Fcomodohacker-responsible-for-diginotar.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFDave_Basner2019" class="citation news cs1">Dave Basner (8 March 2019). <a rel="nofollow" class="external text" href="https://www.iheart.com/content/2019-03-08-heres-why-ji32k7au4a83-is-a-surprisingly-common-password/">"Here's Why 'ji32k7au4a83' Is A Surprisingly Common Password"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">25 March</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Here%27s+Why+%27ji32k7au4a83%27+Is+A+Surprisingly+Common+Password&rft.date=2019-03-08&rft.au=Dave+Basner&rft_id=https%3A%2F%2Fwww.iheart.com%2Fcontent%2F2019-03-08-heres-why-ji32k7au4a83-is-a-surprisingly-common-password%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text">Bidwell, p. 87</span> </li> <li id="cite_note-45"><span class="mw-cite-backlink"><b><a href="#cite_ref-45">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWilliam2012" class="citation web cs1">William, Cheswick (2012-12-31). <a rel="nofollow" class="external text" href="https://queue.acm.org/detail.cfm?id=2422416">"HTML version - Rethinking Passwords"</a>. <i><a href="/wiki/Association_for_Computing_Machinery" title="Association for Computing Machinery">Association for Computing Machinery</a> (ACM)</i>. <a rel="nofollow" class="external text" href="https://archive.today/20191103172648/https://queue.acm.org/detail.cfm?id=2422416">Archived</a> from the original on 2019-11-03<span class="reference-accessdate">. Retrieved <span class="nowrap">2019-11-03</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Association+for+Computing+Machinery+%28ACM%29&rft.atitle=HTML+version+-+Rethinking+Passwords&rft.date=2012-12-31&rft.aulast=William&rft.aufirst=Cheswick&rft_id=https%3A%2F%2Fqueue.acm.org%2Fdetail.cfm%3Fid%3D2422416&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-46"><span class="mw-cite-backlink"><b><a href="#cite_ref-46">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWilliam2012" class="citation journal cs1">William, Cheswick (2012-12-31). <a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F2405116.2422416">"ACM Digital Library - Rethinking Passwords"</a>. <i>Queue</i>. <b>10</b> (12): 50–56. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F2405116.2422416">10.1145/2405116.2422416</a></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Queue&rft.atitle=ACM+Digital+Library+-+Rethinking+Passwords&rft.volume=10&rft.issue=12&rft.pages=50-56&rft.date=2012-12-31&rft_id=info%3Adoi%2F10.1145%2F2405116.2422416&rft.aulast=William&rft.aufirst=Cheswick&rft_id=https%3A%2F%2Fdoi.org%2F10.1145%252F2405116.2422416&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-47"><span class="mw-cite-backlink"><b><a href="#cite_ref-47">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://bitwarden.com/resources/the-state-of-password-security/">"The State of Password Security 2023 Report | Bitwarden Resources"</a>. <i>Bitwarden</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2023-09-24</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Bitwarden&rft.atitle=The+State+of+Password+Security+2023+Report+%7C+Bitwarden+Resources&rft_id=https%3A%2F%2Fbitwarden.com%2Fresources%2Fthe-state-of-password-security%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-48"><span class="mw-cite-backlink"><b><a href="#cite_ref-48">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf">"Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements"</a> <span class="cs1-format">(PDF)</span>. Carnegie Mellon University<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Practical+Recommendations+for+Stronger%2C+More+Usable+Passwords+Combining+Minimum-strength%2C+Minimum-length%2C+and+Blocklist+Requirements&rft.pub=Carnegie+Mellon+University&rft_id=http%3A%2F%2Fwww.andrew.cmu.edu%2Fuser%2Fnicolasc%2Fpublications%2FTan-CCS20.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-49"><span class="mw-cite-backlink"><b><a href="#cite_ref-49">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.tesla.tours/campaigns/password-rules#h.8jxqtu8i7po2">"Bill Burr, Founder of Password complexity rules says SORRY!"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Bill+Burr%2C+Founder+of+Password+complexity+rules+says+SORRY%21&rft_id=https%3A%2F%2Fwww.tesla.tours%2Fcampaigns%2Fpassword-rules%23h.8jxqtu8i7po2&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-50"><span class="mw-cite-backlink"><b><a href="#cite_ref-50">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/#whatrequirementsshould">"Passwords in online services"</a>. UK Information Commissioner's Office (ICO)<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Passwords+in+online+services&rft.pub=UK+Information+Commissioner%27s+Office+%28ICO%29&rft_id=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Fguide-to-data-protection%2Fguide-to-the-general-data-protection-regulation-gdpr%2Fsecurity%2Fpasswords-in-online-services%2F%23whatrequirementsshould&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-51"><span class="mw-cite-backlink"><b><a href="#cite_ref-51">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity">"Digital Identity Guidelines"</a>. USA National Institute of Standards and Technology<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Digital+Identity+Guidelines&rft.pub=USA+National+Institute+of+Standards+and+Technology&rft_id=https%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63b.html%23a3-complexity&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-52"><span class="mw-cite-backlink"><b><a href="#cite_ref-52">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf">"Password guidance"</a> <span class="cs1-format">(PDF)</span>. Cyber Security, UK Government Communications Headquarters<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Password+guidance&rft.pub=Cyber+Security%2C+UK+Government+Communications+Headquarters&rft_id=https%3A%2F%2Fassets.publishing.service.gov.uk%2Fgovernment%2Fuploads%2Fsystem%2Fuploads%2Fattachment_data%2Ffile%2F458857%2FPassword_guidance_-_simplifying_your_approach.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-53"><span class="mw-cite-backlink"><b><a href="#cite_ref-53">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://support.google.com/accounts/answer/32040?hl=en#:~:text=Meet%20password%20requirements,accented%20characters%20aren't%20supported.">"Create a Strong Password"</a>. Google Inc<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Create+a+Strong+Password&rft.pub=Google+Inc.&rft_id=https%3A%2F%2Fsupport.google.com%2Faccounts%2Fanswer%2F32040%3Fhl%3Den%23%3A~%3Atext%3DMeet%2520password%2520requirements%2Caccented%2520characters%2520aren%27t%2520supported.&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-54"><span class="mw-cite-backlink"><b><a href="#cite_ref-54">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.facebook.com/help/1573156092981768/">"Login and Password Help"</a>. FaceBook Inc<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Login+and+Password+Help&rft.pub=FaceBook+Inc&rft_id=https%3A%2F%2Fwww.facebook.com%2Fhelp%2F1573156092981768%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-55"><span class="mw-cite-backlink"><b><a href="#cite_ref-55">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://docs.microsoft.com/en-au/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903">"Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903"</a>. Microsoft. 23 May 2019<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2021</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Security+baseline+%28FINAL%29+for+Windows+10+v1903+and+Windows+Server+v1903&rft.pub=Microsoft&rft.date=2019-05-23&rft_id=https%3A%2F%2Fdocs.microsoft.com%2Fen-au%2Farchive%2Fblogs%2Fsecguide%2Fsecurity-baseline-final-for-windows-10-v1903-and-windows-server-v1903&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-LOPSA-56"><span class="mw-cite-backlink"><b><a href="#cite_ref-LOPSA_56-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20081012063918/http://lopsa.org/node/295">"In Defense of Password Expiration"</a>. League of Professional Systems Administrators. Archived from <a rel="nofollow" class="external text" href="http://lopsa.org/node/295">the original</a> on October 12, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">April 14,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=In+Defense+of+Password+Expiration&rft.pub=League+of+Professional+Systems+Administrators&rft_id=http%3A%2F%2Flopsa.org%2Fnode%2F295&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-WEB-57"><span class="mw-cite-backlink"><b><a href="#cite_ref-WEB_57-0">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20160817223701/https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry">"The problems with forcing regular password expiry"</a>. <i>IA Matters</i>. CESG: the Information Security Arm of GCHQ. 15 April 2016. Archived from <a rel="nofollow" class="external text" href="https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry">the original</a> on 17 August 2016<span class="reference-accessdate">. Retrieved <span class="nowrap">5 Aug</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=IA+Matters&rft.atitle=The+problems+with+forcing+regular+password+expiry&rft.date=2016-04-15&rft_id=https%3A%2F%2Fwww.cesg.gov.uk%2Farticles%2Fproblems-forcing-regular-password-expiry&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-CERIAS-58"><span class="mw-cite-backlink"><b><a href="#cite_ref-CERIAS_58-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFEugene_Spafford" class="citation web cs1">Eugene Spafford. <a rel="nofollow" class="external text" href="http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/">"Security Myths and Passwords"</a>. The Center for Education and Research in Information Assurance and Security. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080411123000/http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/">Archived</a> from the original on April 11, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">April 14,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Security+Myths+and+Passwords&rft.pub=The+Center+for+Education+and+Research+in+Information+Assurance+and+Security&rft.au=Eugene+Spafford&rft_id=http%3A%2F%2Fwww.cerias.purdue.edu%2Fweblogs%2Fspaf%2Fgeneral%2Fpost-30%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-59"><span class="mw-cite-backlink"><b><a href="#cite_ref-59">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFJohannes_KieselBenno_SteinStefan_Lucks2017" class="citation conference cs1">Johannes Kiesel; Benno Stein; Stefan Lucks (2017). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20170330174637/https://www.internetsociety.org/sites/default/files/ndss2017_03A-4_Kiesel_paper.pdf">"A Large-scale Analysis of the Mnemonic Password Advice"</a> <span class="cs1-format">(PDF)</span>. <i>Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 17)</i>. Internet Society. Archived from <a rel="nofollow" class="external text" href="https://www.internetsociety.org/sites/default/files/ndss2017_03A-4_Kiesel_paper.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2017-03-30<span class="reference-accessdate">. Retrieved <span class="nowrap">2017-03-30</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=conference&rft.atitle=A+Large-scale+Analysis+of+the+Mnemonic+Password+Advice&rft.btitle=Proceedings+of+the+24th+Annual+Network+and+Distributed+System+Security+Symposium+%28NDSS+17%29&rft.pub=Internet+Society&rft.date=2017&rft.au=Johannes+Kiesel&rft.au=Benno+Stein&rft.au=Stefan+Lucks&rft_id=https%3A%2F%2Fwww.internetsociety.org%2Fsites%2Fdefault%2Ffiles%2Fndss2017_03A-4_Kiesel_paper.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-60"><span class="mw-cite-backlink"><b><a href="#cite_ref-60">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://uc.iupui.edu/uploadedFiles/Learning_Center_Site/Mnemonic%20Devices.pdf"><i>Mnemonic Devices</i> (Indianapolis, Ind.: Bepko Learning Ctr., University College)</a>, as accessed January 19, 2010 <a rel="nofollow" class="external text" href="https://web.archive.org/web/20100610000727/http://uc.iupui.edu/uploadedFiles/Learning_Center_Site/Mnemonic%20Devices.pdf">Archived</a> June 10, 2010, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-61"><span class="mw-cite-backlink"><b><a href="#cite_ref-61">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://changingminds.org/techniques/memory/remembering_passwords.htm">Remembering Passwords (ChangingMinds.org)</a> <a rel="nofollow" class="external text" href="http://archive.wikiwix.com/cache/20100121181700/http://changingminds.org/techniques/memory/remembering_passwords.htm">Archived</a> 2010-01-21 at Wikiwix, as accessed January 19, 2010</span> </li> <li id="cite_note-:10-62"><span class="mw-cite-backlink"><b><a href="#cite_ref-:10_62-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFCipressoGaggioliSerinoCipresso2012" class="citation journal cs1">Cipresso, P; Gaggioli, A; Serino, S; Cipresso, S; Riva, G (2012). <a rel="nofollow" class="external text" href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3846346">"How to Create Memorizable and Strong Passwords"</a>. <i>J Med Internet Res</i>. <b>14</b> (1): e10. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.2196%2Fjmir.1906">10.2196/jmir.1906</a></span>. <a href="/wiki/PMC_(identifier)" class="mw-redirect" title="PMC (identifier)">PMC</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3846346">3846346</a></span>. <a href="/wiki/PMID_(identifier)" class="mw-redirect" title="PMID (identifier)">PMID</a> <a rel="nofollow" class="external text" href="https://pubmed.ncbi.nlm.nih.gov/22233980">22233980</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=J+Med+Internet+Res&rft.atitle=How+to+Create+Memorizable+and+Strong+Passwords&rft.volume=14&rft.issue=1&rft.pages=e10&rft.date=2012&rft_id=https%3A%2F%2Fwww.ncbi.nlm.nih.gov%2Fpmc%2Farticles%2FPMC3846346%23id-name%3DPMC&rft_id=info%3Apmid%2F22233980&rft_id=info%3Adoi%2F10.2196%2Fjmir.1906&rft.aulast=Cipresso&rft.aufirst=P&rft.au=Gaggioli%2C+A&rft.au=Serino%2C+S&rft.au=Cipresso%2C+S&rft.au=Riva%2C+G&rft_id=https%3A%2F%2Fwww.ncbi.nlm.nih.gov%2Fpmc%2Farticles%2FPMC3846346&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-63"><span class="mw-cite-backlink"><b><a href="#cite_ref-63">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBrumenHeričkoRozmanHölbl2013" class="citation journal cs1">Brumen, B; Heričko, M; Rozman, I; Hölbl, M (2013). <a rel="nofollow" class="external text" href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3742392">"Security analysis and improvements to the PsychoPass method"</a>. <i>J Med Internet Res</i>. <b>15</b> (8): e161. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.2196%2Fjmir.2366">10.2196/jmir.2366</a></span>. <a href="/wiki/PMC_(identifier)" class="mw-redirect" title="PMC (identifier)">PMC</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3742392">3742392</a></span>. <a href="/wiki/PMID_(identifier)" class="mw-redirect" title="PMID (identifier)">PMID</a> <a rel="nofollow" class="external text" href="https://pubmed.ncbi.nlm.nih.gov/23942458">23942458</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=J+Med+Internet+Res&rft.atitle=Security+analysis+and+improvements+to+the+PsychoPass+method.&rft.volume=15&rft.issue=8&rft.pages=e161&rft.date=2013&rft_id=https%3A%2F%2Fwww.ncbi.nlm.nih.gov%2Fpmc%2Farticles%2FPMC3742392%23id-name%3DPMC&rft_id=info%3Apmid%2F23942458&rft_id=info%3Adoi%2F10.2196%2Fjmir.2366&rft.aulast=Brumen&rft.aufirst=B&rft.au=Heri%C4%8Dko%2C+M&rft.au=Rozman%2C+I&rft.au=H%C3%B6lbl%2C+M&rft_id=https%3A%2F%2Fwww.ncbi.nlm.nih.gov%2Fpmc%2Farticles%2FPMC3742392&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-64"><span class="mw-cite-backlink"><b><a href="#cite_ref-64">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/">"zxcvbn: realistic password strength estimation"</a>. <i>Dropbox Tech Blog</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20150405131234/https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/">Archived</a> from the original on 2015-04-05.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Dropbox+Tech+Blog&rft.atitle=zxcvbn%3A+realistic+password+strength+estimation&rft_id=https%3A%2F%2Fblogs.dropbox.com%2Ftech%2F2012%2F04%2Fzxcvbn-realistic-password-strength-estimation%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> <li id="cite_note-65"><span class="mw-cite-backlink"><b><a href="#cite_ref-65">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www2.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-138.html">"The Emperor's New Password Manager: Security Analysis of Web-based Password Managers | EECS at UC Berkeley"</a>. <i>www2.eecs.berkeley.edu</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2023-10-01</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www2.eecs.berkeley.edu&rft.atitle=The+Emperor%27s+New+Password+Manager%3A+Security+Analysis+of+Web-based+Password+Managers+%7C+EECS+at+UC+Berkeley&rft_id=https%3A%2F%2Fwww2.eecs.berkeley.edu%2FPubs%2FTechRpts%2F2014%2FEECS-2014-138.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3APassword+strength" class="Z3988"></span></span> </li> </ol></div></div> <p>6 Types of Password Attacks & How to Stop Them | OneLogin. (n.d.). Retrieved April 24, 2024, from <a rel="nofollow" class="external free" href="https://www.google.com/">https://www.google.com/</a> </p><p>Franchi, E., Poggi, A., & Tomaiuolo, M. (2015). Information and Password Attacks on Social Networks: An Argument for Cryptography. Journal of Information Technology Research, 8(1), 25–42. <a rel="nofollow" class="external free" href="https://doi.org/10.4018/JITR.2015010103">https://doi.org/10.4018/JITR.2015010103</a> </p> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Password_strength&action=edit&section=19" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="https://tools.ietf.org/html/rfc4086">RFC 4086: Randomness Requirements for Security</a></li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20160416035311/http://www.architectingsecurity.com/2010/09/11/password-patterns/">Password Patterns:The next generation dictionary attacks</a></li></ul>    </div><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Password_strength&oldid=1258888312">https://en.wikipedia.org/w/index.php?title=Password_strength&oldid=1258888312</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Cryptography" title="Category:Cryptography">Cryptography</a></li><li><a href="/wiki/Category:Password_authentication" title="Category:Password authentication">Password authentication</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:Webarchive_template_wayback_links" title="Category:Webarchive template wayback links">Webarchive template wayback links</a></li><li><a href="/wiki/Category:Webarchive_template_other_archives" title="Category:Webarchive template other archives">Webarchive template other archives</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:Articles_needing_cleanup_from_January_2022" title="Category:Articles needing cleanup from January 2022">Articles needing cleanup from January 2022</a></li><li><a href="/wiki/Category:All_pages_needing_cleanup" title="Category:All pages needing cleanup">All pages needing cleanup</a></li><li><a href="/wiki/Category:Articles_containing_how-to_sections" title="Category:Articles containing how-to sections">Articles containing how-to sections</a></li><li><a href="/wiki/Category:All_articles_with_unsourced_statements" title="Category:All articles with unsourced statements">All articles with unsourced statements</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_June_2024" title="Category:Articles with unsourced statements from June 2024">Articles with unsourced statements from June 2024</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_January_2012" title="Category:Articles with unsourced statements from January 2012">Articles with unsourced statements from January 2012</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 22 November 2024, at 05:10<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Password_strength&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-z27g8","wgBackendResponseTime":281,"wgPageParseReport":{"limitreport":{"cputime":"0.581","walltime":"0.698","ppvisitednodes":{"value":4399,"limit":1000000},"postexpandincludesize":{"value":112046,"limit":2097152},"templateargumentsize":{"value":4229,"limit":2097152},"expansiondepth":{"value":16,"limit":100},"expensivefunctioncount":{"value":9,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":200687,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 574.926 1 -total"," 59.83% 343.966 1 Template:Reflist"," 33.12% 190.416 41 Template:Cite_web"," 11.02% 63.373 1 Template:Short_description"," 6.96% 40.009 2 Template:Pagetype"," 6.33% 36.377 1 Template:How-to"," 5.66% 32.543 1 Template:Ambox"," 5.53% 31.812 1 Template:Cite_IETF"," 3.72% 21.410 2 Template:Fix"," 3.39% 19.498 1 Template:Cn"]},"scribunto":{"limitreport-timeusage":{"value":"0.324","limit":"10.000"},"limitreport-memusage":{"value":7817725,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-z58hw","timestamp":"20241122141926","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Password strength","url":"https:\/\/en.wikipedia.org\/wiki\/Password_strength","sameAs":"http:\/\/www.wikidata.org\/entity\/Q1990841","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q1990841","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2006-03-20T23:07:12Z","dateModified":"2024-11-22T05:10:07Z","image":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/0\/0f\/KeePass_random_password.png","headline":"measure of the effectiveness of a password in resisting guessing and brute-force attacks"}</script> </body> </html>