How many bits of information are in a password?
The number of bits of information in a password are a function of the alphabet that the password is drawn from and how many characters long it is. The formula is:
nbits = ceil(log2(len(alphabet)) * nchars)
So what does that mean? Let's take the case of 8 character long Unix passwords, and do a table:
alphabet  total bits  (bits per character) 
lower case ASCII  38  4.7 
lower case plus digits  42  5.2 
upper and lower case ASCII  46  5.7 
letters plus digits  48  5.95 
letters, digits, and all punctuation characters  53  6.55 
(The version of 'all punctuation' I'm using is Python's, and has 32 characters.)
As we can see, conventional Unix passwords are not all that strong. Nor does lengthening them help a lot; at the most generous assumption, you need 20 characters to get a 128bit password.
The same result can be applied to passphrases for SSH keys and the like. If your passphrase is lower case plus spaces, you have about 4.75 bits of information per character and you need 27 characters to get 128 bits.
(The number of bits of information in a password is how many bits of randomness it has and thus how many random bits you need to generate as strong a random password as you can get, and an indicator of how strong a cryptographic key it is.)
Comments on this page:

