If you’ve signed up for a Google account, you will have seen Google’s own password strength meter.  Google’s password strength meter is unique in that it identifies whether the password would be easily cracked under a dictionary attack.  However, Google hasn’t made the source code available to the public.  So… I thought I’d make my own.

Firstly, I wanted my algorithm to calculate the strength of a password using statistical analysis.  Essentially, the algorithm should approximate the ammount of time it would take to crack a password subject to the following attack mechanisms:

• Dictionary Attack
• Hybrid-Dictionary
• Brute Force

Before I run over the math, I should say that I am not a statictician, although I am pretty good with applied mathematics.

Dictionary Attack

In order to calculate the strength of a password subject to a dictionary attack, we must start by determining how many "real" words exist containing 1 to n letters; where "n" is the length of the password.  We should also consider that the password will, on average, find the password after searching through half of the n-letter words.  We can express this mathematically as follows:

Brute Force Attack

In order to calculate the strength of a password subject to a brute force attack, we simply consider the number of character combinations possible for a password of length 1 to n letters.  The number of possibilities exitsing is a function of both the password length and character diversity.  In this sense, the diversity of a password depends on whether upper case letters, lower case letters, numbers and symbols are used.  The diversity of a password containing only lower case letters is 26.  This is because there are 26 letters in the english alphabet.

Note that we again take the coefficient of a half for the final term.  I explained why this is done in the dictionary attack section above.  What I found very interesting is how the strength of a password subject to a brute force attack varies as we change the diversity and length.  Many of the algorithms I have come across give a greater weight to the diversity.  I.e. they assume that the diversity of a password has a greater impact on the strength.  This is often not the case.  My only guess as to why they do this is that they have no way of identifying whether a password is vulnerable to a dictionary attack.  Hence, they make the assumption that passwords containing numbers and/or symbols will not be vulnerable to a dictionary attack.

Hybrid-Dictionary Attack

This type of attack is particularly difficult to model accurately.  Hence, I am going to estimate that the strength of a password undergoing a hybrid dictionary attack is simply the "dictionary strength" multiplied by the "brute force strength" of the suffix/prefix:

Calculating The "Real" Strength

The equations above allow us to calculate the strength of a password.  However, we now need to make sense of the result.  To do this, we can create a scale by estimating the speed at which a computer is capable of attempting to crack the password.  Obviously, this value will change significantly as time passes as it is determined by the processing power of the cracker’s computer.  Hence, I recommend that you change/tweak the setting in the PHP script.  By default, this is set to 2,000,000 passwords per second.

The PHP script then uses this speed to calculate the time it would take to crack the password.  I have defined a strength rating to a range in time (e.g. 0 < time < 1 day).  You can change or add more ratings as you please.

Where Can I Download This?

Before I make the script public, I’d appreciate some feedback.  You can request additional features by posting a comment below.  Please also post any passwords that you feel the script does a poor job of estimating the strength for.

What’s The Neutrino Framework?

To explain this, let me start by describing how the Catalyst skin currently works.  In order to add all the lovely features that makes our CubeCart skins special (e.g. AJAX Add To Cart), we needed to extend CubeCart’s core PHP code.  We did this by including a number of PHP modifications that you were required to install before using the skin.  There are some inherent disadvantages associated with this method.  Firstly, it requires you to spend time installing all the modifications.  Secondly, there may be compatibility issues with other modifications you have installed.  Finally, as many of you are aware, it’s extremely difficult and time consuming to update CubeCart to later releases.

The Neutrino framework is simply a better way of adding the features you all love.  Although PHP code is still used, it is separated into individual files.  These files are then executed or manimulated using AJAX requests.  This means that there is complete separation from CubeCart’s core PHP files.  It also means that you won’t have to edit a single line of CubeCart’s PHP code to install the skin.

When Is The Update Due To Be Released?

We will release the update shortly after our new site goes live.  Please read this post for more information.

Will I Need To Pay For The Update?

If you currently hold a single domain license for the Catalyst V4 skin, you can receive this update free of charge.

Will The Update Be Compatible With CubeCart V4.3.0?

Absolutely!  You can view the demonstration store, which is currently running CubeCart V4.3.0.

Will I Loose Any Features When I Update?

No.  Catalyst V4 Reloaded will include all the features you are currently enjoying.

Have You Made Any Improvements To The Skin?

We have tweaked the code a little.  Here’s what we’ve added thus far:

• Dynamic "On Demand" JavaScript and CSS Compression
• Vast Improvements to the AJAX Add To Cart code
• Dynamic Image Scaling
• Many small tweaks to the code

If I Update, Will I Loose Any Modifications I’ve Made To The Skin?

Unfortunately, you will loose all the modifications you’ve made to the skin.  You can of course reapply any modifications to the skin.

Any Questions or Comments?

Please post you questions or comments below.

• Completely new website design
• Integration of the "Latest News" blog into our main website
• A brand new ordering system
• A brand new client panel (integrated into our ordering system)
• A fully-fledged Help Desk (integrated into our ordering system)
• Credit and debit card acceptance (no Google Checkout account required)

A Completely New Website Design

For those who have been following us closely, you will know that we regularly redesign our own site.  I’m happy to say that the new design will be here to stay - for some time anyway.  The new design will tie together our new ordering system, latest news blog and help desk.  We believe that the new site will be much easier to use than the current one.

Our Latest News Blog

Currently, our latest news section resides within our Website Design blog.  We will be moving all the latest news articles to our core site.  Hence, there will be a consistent design across our entire site.  We’ll be posing news pertaining to our skins, latest releases and CubeCart announcements.  This will be a excellent resource for any CubeCart store owner.

A New Ordering, Client Panel and Licensing System

The Client Panel was introduced some time ago now.  The uptake has been fantastic.  However, from the feedback we’ve received, we understand that you want it integrated into our main site.  The new client panel is an enormous improvement over the existing one.  Everything seamlessly works together.  You’ll be able to access all your downloads and license keys from a single central location.

Our existing licensing system is crude, at best.  Inevitably, this has led to piracy, consuming a great amount of our time.  Ideally, we would rather not have a licensing system.  However, if we’re going to keep our CubeCart skins affordable, we need to protect ourselves from those devious people who illegally share our hard work.

We will be encoding a few PHP files used by our skins with IonCube.  Currently, we apply a weak obfuscation technique to those PHP files that include our licensing mechanism.  The vast majority of hosting providers support IonCube.  If you’re not sure whether your host supports IonCube encoded files, you can check by dropping them a quick email.

Similar to how CubeCart’s licensing system works, our skins will "call home" every 14 days.  We understand that some of you will be concerned after the initial problems with CubeCart’s own licensing system.  We have been working hard to ensure that this does not happen.  Furthermore, after 30 days have passed since your purchase, you can request a permanent license file.  A permanent license file will no longer call home.  We’ll post more information shortly.

We’ll be offering limited time free trials for all our skins.

A Fully-Fledged Help Desk

In order to improve efficiency, we’ll be introducing a Help Desk.  You’ll be able to login to the help desk, ordering system and client panel with the same username and password.

Credit and Debit Card Acceptance

You’ll be able to purchase our skins without a Google Checkout account.  This is great news for those that reside in countries where Google Checkout is not available.

Any Questions?

As always, if you have any questions, please feel free to post a comment below.