Under the perspective of information theory, the present work performs an analysis of some methods used to create passwords in order to harden the defense against brute force attacks. Zipf's law is ubiquitous in natural languages and therefore it implies an entropy reduction when any language is used to create a password. Many companies impose a length restriction on passwords. Also, we do not want to create long passwords (that would take longer time to type), nor we want passwords that are hard to remember. On those terms, the best approach to create a password (the best tradeoff between creating a strong and an easy to memorize and use password) is the acronym approach, selecting the first character of each word in a sentence and combining them to form a gibberish string. Using this approach we are able to increase in 80% the entropy per character.
Keywords:
passwords; Zipf's law; security; entropy