This is a scheme of how we define password strength
in a strict scientific manner without bullshit and lyrics:
1. we clarify what is a guessing attack and set aside all other types of attacks;
2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords
3. we demonstrate that password strength
(in any practical sense) is a function of an attack;
4. the strength of a given password is the position of this password in the attacker's dictionary;
5. the defender's strategy is an approximation of the attack dictionary order;
6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);
7. thus, the defender's password strength
is an expected value for the password strength over the given set of attacks.
You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure
". It gives us a feasible meaningful unambiguous measure that everyone can implement.
It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength
problem. Entropy is based on the ASSUMPTION of possible outcomes
. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.
In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece
. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials
! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:
Password strength is a function of something unknown to us.
It is time for us to do some trivial maths and terminate the «password strength» nonsense.