Here you get a comprehensive overview on password theory. If you only want to get a feeling for the security of your own password, then use the dialog Password Quality Meter.
The importance of passwordsPasswords are important for all IT systems that offer interfaces for user access. Particularly, this includes PCs in the private and commercial sector as well as services like e-mail or online banking. In these cases the log-on is usually done by entering a user name and the according password.
The IT system can only judge from the entered data whether there is a legal access or not. Consequently, if an unauthorized person acquires a valid combination of user name and password, he can apparently legal log-on to the IT system, eavesdrop or manipulte data in a harming way.
According to this, the security of passwords is an important principle for the security of IT systems.
The security of passwordsEssentially, two factors need to be kept in mind in order to keep the security of passwords:
a) First of all, a secure password should be chosen. A secure password is a password that cannot easily be guessed. Thus, words out of dictionaries never make good passwords. A lot of other words are no good passwords either. For example common names, variations of the respective user name or other simple passwords. With the help of certain programs these passwords can be guessed within seconds.
The dialog Passwort Quality Meter can give you a indication for the security of your password.
b) The secure storage of passwords also plays a big role for password security. On the one hand, this means one should never write his passwords down in order to prevent unauthorized access. On the other hand, this includes technical measures like hash functions or PKCS#5 when passwords are transmitted over public networks or stored in password files.
Password length, password space and password entropyIf you factor out inappropriate handling and storage of passwords, then the security of a password depends on the length of the password, the size of the password space and the entropy of the password.
The length of a password has a huge influence on its security. Short passwords can easily be guessed, so in turn a short password is a bad password. The longer a password, the better.
That password length is a very important aspect of password security is stressed in an article by Roger A. Grimes on password cracking (2007). Basically, Grimes claims that, for the security of passwords, length is much more important than complexity because real complexity is hard to accomplish.
The size of the password space is the amount of passwords that can be created with all available characters (the alphabet). Assume you have an alphabet of 52 letters (upper- and lowercase) as well as ten digits, then the password space consists of 62^8, that is around 200 trillion passwords. If you increase the size of the alphabet with 10 more characters (for example special characters), the password space grows to more than three times of its size. The bigger the password space, the better.
According to an article in the magazine PC-WELT (issue 08/2007), an up-to-date computer can guess around 25 million passwords per second. Imagine the password space consists of roughly 2 billion passwords (which is the case for a password length of only six characters and an alphabet consisting of lower-case letters and ten digits). In such a scenario it would take less than 90 seconds to search through the complete password space.
For comparison only: If you have a password space of around 200 trillion passwords (see above), a complete search through the password space would already take more than 100 days. Actually, such a password space should be considered big enough, especially if you change your password on a regular basis like every three months (for example, this is enforced in bigger companies). But keep in mind that attacks against passwords can be parallelized, and certain institutions (intelligence) command way more computational power than the average computer user.
The password entropy indicates how "randomly" a password is chosen out of the given password space. Based on certain statistical assumptions you can exactly determine the entropy of a password.