xkcd illustrates the biggest problems I have with web-based passwords, namely that they are easy to forget, and easy for brute-force breaking. What we really want is something that's easy to remember, but difficult to guess, and difficult to brute-force. That means adding entropy. That means, a long password is better. Especially if someone's looking over your shoulder.
Most password strength checkers look only for the attributes mentioned in the above comic, and do nothing but to make us greate passwords that either:
a) we soon forget
or b) someone else can easily hack
You know it's bad when 4 random words put together form a better password than all the ones you've previously been using, or that you are forced to use on a website.
Vista-password (Photo credit: Wikipedia)
People wonder if their password is a good password. I often come across two distinct groups of people. The first would fall into a "just use any word" category, which is a very bad practice for picking passwords. The second group will mix in a few numbers in order to make the password a lot harder to guess. But, how do you know if you have a secure passphrase?
Good passwords / passphrases:
... should be 8 characters or longer, which forces you to use multiple words or extra symbols.
... should have upper case, lower case, symbols, and numbers; or at least three of those four groups.
... should not be a common word and should not be a common phrase.
... should not contain a date, a name, or other things that can be associated with you.
... should be created randomly or semi-randomly.
This password checker will gauge your password and give it a score based on how good of a password it is. It will let you know if you picked a common password (don't do that!) and it will also take into account the probability of letters landing close to each other. For instance, "Q" is almost always followed by "U", so your password's score won't increase much when you type in the "U".
I use cryptographically-minded descriptions to describe how weak or strong a password is. For email accounts, passwords to log into your personal machine, and other things that don't require the most strict authentication, feel free to use a password that is deemed "Weak" or "Reasonable".
This runs completely in your browser and sends no information to anyone. If you are paranoid, you can read the source code, unplug your machine from the internet, or just use a password that is similar to yours. Also, please keep in mind that this is an estimate of how strong your password is, and there is no guarantee that the information shown is correct.
- Warnings are shown if you enter a common password.
- Warnings are shown if your password is very short (4 or less characters) or if it is short (less than 8 characters)
- Password strength is determined with this chart, which might be a bit of a stretch for a non-critical password:
- < 28 bits = Very Weak; might keep out family members
- 28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
- 36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
- 60 - 127 bits = Strong; can be good for guarding financial information
- 128+ bits = Very Strong; often overkill
- The number of bits listed for entropy is an estimate based on letter pair combinations in the English language. To make the frequency tables a reasonable size, I have lumped all non-alphabetic characters together into the same group. Because of this, your entropy score will be lower than your real score when you use several symbols.
- For determining the character set, letters are grouped into a-z, A-Z, numbers, symbols above numbers, other symbols, and other characters. If your passphrase contains a character from the subset, that subset is added to the pool, increasing the size of the character set and increasing the amount of entropy in your password.
For further information, try NIST's Special Publication 800-63, Electronic Authentication Guideline, Appendix A: Estimating Password Entropy and Strength. Also, C.E. Shannon's A Mathematical Theory of Communication.
If you really like this program and you want to include it with your software or on your site, you can download it here: passchk.zip (34 k). The code is licensed under the GPLv3, which may be of importance to note if you are including it as part of your custom software.