Save or Share this Report

For Security & Risk Professionals

Breaking Down Entropy And Passwords

Understanding The Fundamentals Of Effective Password Policies

October 11, 2011

Primary author headshot


Why Read This Report

Protecting access to information technology assets by using passwords is as old as the concept of IT security itself. Today, passwords remain a popular means of authentication. Each service guarded by user passwords has a password policy that determines the strength of the password against brute-force attacks. Establishing the right password policy for your organization requires you to understand your risk profile as well as the fundamental information-theoretical concepts that determine the password strength. This report breaks down these concepts in the framework of the National Institute of Standards and Technologies' (NIST's) authentication levels. Information security professionals can adapt the fundamentals to their policy work to determine the appropriate password length and fail-retry limit for the risk they are facing.

Get Access

Already a Client?

Log in to read this document.

Become a Forrester Client

Customers are the new market-makers, reshaping industries and changing how businesses compete and win. Success depends on how well and how fast you respond. Forrester Research gives you insights and frameworks aligned to your role to shorten the time between a great idea and a great outcome, helping your teams win in the age of the customer. Contact us to learn more.

Purchase Report

This report is available for individual purchase ($499 USD).


Table of Contents

  • User Password: A Common Security Control Often Taken For Granted
  • The Right Password Policy Requires An Understanding Of The Fundamentals
  • Choose The Proper Password Length And Retry Limit For Your Risk Profile

  • Entropy Is Your Friend — Get To Know It!
  • Related Research Documents