How to calculate password strength?

Question

I'm using a certain electronic currency and they use pass phrases as passwords. Basically every password is 12 English words long. How can I calculate how secure this is? I don't know much about these things, but 12 words seem rather feasible with a dictionary attack (at least in my mind).

Naturally I'm worried how secure this is so instead of just asking if it is, I'd like to know methods on calculating it myself (you can spoil the answer, of course).

Any advice, links, literature recommendations, etc are welcome!

PS: How long it would take for an average computer to get an valid pass phrase with the details I gave above? I need to know if I have to keep making new accounts regularly to transfer funds to if it really doesn't take that much effort. I'd also appreciate any information on how to calculate that as well, but is not the main issue here. Thanks again!

Answer 1

It's all a question of entropy. How many different symbols are there to test ?

Traditionally, passwords are a string of characters. Symbols are then characters. If you use lower case letters only a-z is a range of 26 possible letters. With upper case and numbers, you get 62 symbols. With all special symbols that are in the ASCII set (so without fancy encodings) you get over 90 possible symbols already. In your case, a symbol is a word.

From this question on Oxford dictionaries’ website I would gather there are 115000 words that you could expect (without obsolete and derivatives).

To compute the number of combinations, you have to realize that for each possible symbol at a given position, you have the choice of every possible character at another position. With strings of characters, if your password starts with a $, you still have any character for the other positions. This means that we have to multiply the number of possible symbols for each symbol position. Thus with 2 characters that have s possible symbols, you have s*s possibilities. In general, you would have for c characters sc possibilities for a password.

Note that this means that in the case of dictionary words, you put random words instead of making sentences !

In your case, there are 115000¹² possibilities, which is about 5.3*10⁶⁰. So a huge lot.

The time to brute-force a password is then given by how much time t it takes to test a password, and the number of attempts, in your case t × 2.65 × 10^60 if you enumerate all combinations in a random order, and t × 5.3 × 10^60 if you try word combinations completely at random.