###
The mathematics of password complexity

A popular starting point for password guessing is always passwords that are known from previous data leaks. As an example, people often refer to rockyou.txt: a list of 14 million passwords revealed in the RockYou data breach in 2009.

If your password is somewhere on this list, even at 1000 attempts per second, it will take at most 14,000 seconds (less than 4 hours) to find your password. That's not exactly a long time, and it already assumes that the provider of your password manager has done its homework.

Since we are talking about computers here, the "right" way is to express large numbers by powers of two. Thus, a password on the RockYou list has less than 24 bits of entropy, which means that it will be found with certainty after 224 (16,777,216) attempts. Each bit of entropy (or information density) added to the password doubles the rate time.

Obviously, the RockYou passwords are too simple. Many of them would not even be accepted by a modern password manager as the main password. How about a line from a song? Shouldn't this already be difficult to guess because of its length?

Someone has calculated (and probably overestimated) the number of song phrases available to be 15 billion, so we are talking about 34 bits of entropy at most. This would increase the time to guess the password to half a year.

Not bad, one might think. Who would take half a year to figure out my password? Only, the song line you will choose will not be at the end of the list. That's already because you don't know all 30 million songs that exist. Ultimately, there are only a few thousand songs you would reasonably choose from, and your date of birth can help narrow it down further. Each song has only a few dozen phrases you can choose from. If you're lucky, you'll get 20 bits of entropy this way, or about 1 million tries, or 17 minutes at 1000 tries per second, to guess the password.