I have a somewhat basic understanding of how entropy relates to password strength – generating a password with a truly random selection from some set (whether that’s characters, or a set of dictionary words, or whatever else) gives increasing entropy as either the size of the set and/or the number of selections increases.
But in some cases, simply generating a password with a certain entropy doesn’t result in a password that’s strong ‘in the real world’. For example, let’s say I want to randomly generate a password that’s 8 characters long. I take a truly random selection from the set of all uppercase and lowercase letters, numbers, and special characters, and the result I get is:
That’s just as likely as any other output from a random selection, and assuming a valid generation it has the same entropy as something like ‘@gm%Kj$9’. Despite that, it’s clearly not suitable for use as a password, as any even remotely competent malicious actor would be into the system almost immediately. Chances are a random person would pass that check on literally their first try.
It’s clear that entropy alone can’t necessarily be relied on for a strong password. My question, then, is how the random chance of generating common password strings within a longer password impacts the strength of that password against real-world attacks, using whatever techniques password crackers might commonly employ – or if it has any impact at all.
Let’s say I realise that an 8 character password isn’t that strong, and decide instead to generate a 16 character password using the same truly random generator with the same set. I have four systems I need to protect, so I generate four passwords (that will all be used, I’m not going to select from them again afterwards manually as that would influence the entropy). The four passwords I get are:
al#k2j$9gjKDm5%l *g3RpasswordnG&4 password%G@fDnBv Nf!hFm$xpassword
All four of these have the same entropy and are just as likely as the others to be returned from a truly random generator – however, three of them include the sequence ‘password’, which on it’s own would be incredibly vulnerable. One has that sequence in the middle, one has it at the start, and one has it at the end.
Are any of these passwords more vulnerable to real-world attacks than the others, despite having the same entropy?
Note: I’ve looked at this similar question, however I think this is a slightly different case as we’re not ‘adding’ a common password to the end of our randomly generated one.