Comparing the strength of different password policies
(Last updated on February 7, 2017)
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor. Bring your combinatorics book and strap in for a math lesson.
Relative Password Policy Strength
The password policy strength is in essence a measurement of: How many possible combinations are there of a password using the weakest possible structure that the policy allows.
The measurement is purely mathematical, it does not take into consideration how users usually structure their passwords. But it gives an indication of how, relatively speaking, easy or hard it would be to crack a password with a simplistic brute force attack.
The following data is used in the calculation: minimum password length and complexity settings. Complexity settings are broken down into:
- The set of available character groups
- The number of required character groups
The following character groups exist:
- Lower case letters (set size 26)
- Upper case letters (set size 26)
- Digits (set size 10)
- Special characters (set size 40)
- Unicode characters (set size 95156)
Calculating the number of possible combinations
Let’s use the following password policy requirements as an example:
- Minimum length 6
- At least 2 of the following
The weakest possible password (that is, the password structure with the fewest possible combinations) would consist of:
- 1 lower case letter
- 5 digits
The reason 5 digits are used is because that character group has the smallest set size, thus resulting in the smallest number of total combinations.
The actual characters of such a password could be any combination from the corresponding character group sets. The order of the six characters could also be any possible combination. The total number of those combinations is what we need to calculate. In the above example we have two character group sets, lower case and digits. They have the set sizes 26 and 10. Let’s call the number 1 and 5 pick sizes. We can now generalize some notations from this:
s1, s2 ,…, sn are the required set sizes. 26 and 10 in the example
p1, p2, …, pn are the corresponding pick sizes. 1 and 5 in the example.
With these notations we can describe (a simplified) version of the formula that calculates the number of possible combinations:
Getting the relative strength value
In order to represent the number of combinations as a relative strength score, two things are needed.
- A max value
- Changing the scale
The max value
The max value is simply the above calculation using a “strong” password policy. The configuration for this policy is obviously a bit arbitrary, in Specops Password Auditor, the following is used:
- Minimum Length= 16
- At least one of each of the following
- Special character
So, any policy with as strong, or stronger settings will be displayed as having “max” strength.
The last thing we need to make the relative strength score useful is to use a logarithmic scale instead of a normal linear scale. The reason for this is the exponential nature of the combinatorics used for calculating the number of possible passwords. A change in the requirements can increase the number of combinations in an exponential way and it is difficult, or near useless, to display values in a linear scale where one value could be thousands or a million times larger than another.
So, the logarithmic scale means that a relative score that is ten percent larger than another actually means that it is an order of magnitude larger.