Our Business Phone Plans offer administrators and phone system users a number of web portals where they can log into their accounts. In order to keep their accounts secure, it’s essential that their logins have a high password strength.
When creating a set of login credentials, you can improve your password strength by increasing the length of the password or by using a more complex character set. Or you can improve both.
A few examples here will explain password security best practices and show you how to easily create a strong password — part of our commitment to security here at VirtualPBX.
Entropy in Character Sets
Entropy is the key factor in determining password strength. In short, entropy is the level of uncertainty in a system. Increased password entropy equates to increased uncertainty to an outside observer about what the password actually is.
In general, you will create a stronger password by increasing its entropy. Increasing the number of unique characters available for the password to use will increase its entropy. Consider these examples:
- The set of numerals 0-9 contain 10 total characters, which is only 3.3 bits of entropy per symbol
- The set of all alphanumeric characters 0-9, a-z, and A-Z contains 62 symbols, resulting in 5.9 bits of entropy per symbol
Your use of the alphanumeric character set can lend you more entropy than the set of numerals because there are more characters to choose from.
Password Length in Action
Entropy in a set of characters isn’t the only factor that goes into password strength. Your password should also be significantly long.
The equation for determining the number of possible passwords from a set of characters is straightforward. You raise the number of characters used (N) to the length of the password (L), like so:
NL
A practical example is a 4-digit PIN. It would have a character set (N) of 10 and a length (L) of 4.
104 = 10,000 possible passwords
Increasing that character set to all the alphanumeric characters would result in a much higher number of possibilities:
624 = 14,776,336 possible passwords
A subsequent increase in password length would result in further gains:
626 = 56,800,235,584 possible passwords
How Much Password Complexity is Enough?
This is a difficult question to answer because there are a number of factors at play. You would probably want a stronger password for protecting a company’s intellectual property than you would for your online Tetris account.
The range provided in this 1Password blog suggests that a password of 42 bits is strong but not uncrackable by a reasonable attacker and that a password of 71 bits it going to be difficult to crack by organizations with virtually unlimited resources.
To put that in perspective, consider that our 626 password shown in the previous section has only 35 bits of entropy. Keeping the same character set and increasing the length of that password bumps it up a little with each step:
- Length of 7: 41 bits of entropy
- Length of 8: 47 bits of entropy
- Length of 9: 53 bits of entropy
- Length of 10: 59 bits of entropy
- Length of 11: 65 bits of entropy
- Length of 12: 71 bits of entropy
Your password would have to become long, and possibly difficult to remember, to reach a level of security that would stand against a powerful attack.
The Easy Way to Password Strength
Possibly the easiest method of creating strong passwords that are also easy to remember and access is to use the Diceware method and a password manager.
Diceware
Using this method, you roll five dice at once to create unique number. Then you look up your number in the complete Diceware word list or alternative list on the Diceware homepage.
Reading from left to right in your roll, you might end up with a number like 63613. That number corresponds with the word “weep” in the word list. After doing this five times, you might create the password “weep karma zurich lab off” (always create your own, dice-generated password).
At first glance, this method doesn’t seem to be random or easy to remember. However the security of a five-word Diceware phrase averages about 65 bits. With a bit of practice, it’s simple to recall a random collection of words that you can then use with a password manager that creates new passwords for all your logins.
Password Managers
There are a many programs available that will create new passwords for you. You can use your Diceware login to access the password manager; then the manager will create additional secure passwords you can quickly access when logging into a website or your VirtualPBX account.
1Password, referenced earlier, will run on multiple devices and sync passwords between devices. LastPass is another popular option.
This detailed list on Wikipedia categorizes a range of software you can use on your computer and phone.
Keep in mind that, no matter the software you choose, your password collection is only as safe as the password you use to access that collection. A Diceware passphrase of five or six words should be sufficient as a login for your password manager of choice.
Talk To Us About Password Strength
At VirtualPBX, we’re serious about security and are happy to help you establish the security of your login to our services.
Start a chat today with our security professionals for any assistance you need and review these common password misconceptions. We’re happy to talk to you.