I was scouring the internet looking for a freely available "Password Strength Meter" script. You’ve probably all come across them. The vast majority are useless. They’re useless because they use mainly empirical methods to determine the strength of a password. Whilst empirical methods may provide a good estimate for the strength of a password subject to a brute force attack… Most don’t consider dictionary or hybrid-dictionary attack mechanisms.
If you’ve signed up for a Google account, you will have seen Google’s own password strength meter. Google’s password strength meter is unique in that it identifies whether the password would be easily cracked under a dictionary attack. However, Google hasn’t made the source code available to the public. So… I thought I’d make my own.
Firstly, I wanted my algorithm to calculate the strength of a password using statistical analysis. Essentially, the algorithm should approximate the ammount of time it would take to crack a password subject to the following attack mechanisms:
- Dictionary Attack
- Hybrid-Dictionary
- Brute Force
Before I run over the math, I should say that I am not a statictician, although I am pretty good with applied mathematics.
Dictionary Attack
In order to calculate the strength of a password subject to a dictionary attack, we must start by determining how many "real" words exist containing 1 to n letters; where "n" is the length of the password. We should also consider that the password will, on average, find the password after searching through half of the n-letter words. We can express this mathematically as follows:
Brute Force Attack
In order to calculate the strength of a password subject to a brute force attack, we simply consider the number of character combinations possible for a password of length 1 to n letters. The number of possibilities exitsing is a function of both the password length and character diversity. In this sense, the diversity of a password depends on whether upper case letters, lower case letters, numbers and symbols are used. The diversity of a password containing only lower case letters is 26. This is because there are 26 letters in the english alphabet.
Note that we again take the coefficient of a half for the final term. I explained why this is done in the dictionary attack section above. What I found very interesting is how the strength of a password subject to a brute force attack varies as we change the diversity and length. Many of the algorithms I have come across give a greater weight to the diversity. I.e. they assume that the diversity of a password has a greater impact on the strength. This is often not the case. My only guess as to why they do this is that they have no way of identifying whether a password is vulnerable to a dictionary attack. Hence, they make the assumption that passwords containing numbers and/or symbols will not be vulnerable to a dictionary attack.
Hybrid-Dictionary Attack
This type of attack is particularly difficult to model accurately. Hence, I am going to estimate that the strength of a password undergoing a hybrid dictionary attack is simply the "dictionary strength" multiplied by the "brute force strength" of the suffix/prefix:
Calculating The "Real" Strength
The equations above allow us to calculate the strength of a password. However, we now need to make sense of the result. To do this, we can create a scale by estimating the speed at which a computer is capable of attempting to crack the password. Obviously, this value will change significantly as time passes as it is determined by the processing power of the cracker’s computer. Hence, I recommend that you change/tweak the setting in the PHP script. By default, this is set to 2,000,000 passwords per second.
The PHP script then uses this speed to calculate the time it would take to crack the password. I have defined a strength rating to a range in time (e.g. 0 < time < 1 day). You can change or add more ratings as you please.
Where Can I Download This?
Before I make the script public, I’d appreciate some feedback. You can request additional features by posting a comment below. Please also post any passwords that you feel the script does a poor job of estimating the strength for.
March 2, 2009
Quote
Nice script, seems to do a good job, I tried a few common weak passwords then a few strong ones and it seems fine :))
March 4, 2009
Quote
Thanks for the feedback Cazpa!
March 6, 2009
Quote
Even you don’t turn this script public, the explanation about the logical utilized worth the read. But I think that you must explain the user how turn the password strong when use your script.
March 6, 2009
Quote
Although it’s not in the demo, our PHP script can output hints on how to improve the strength of the password. I’ll work on integrating this into the demo page.
March 9, 2009
Quote
Like I said before v good work… and a very good explanation!
Having the hints function would be good!
Adam
March 9, 2009
Quote
Hi Homar
Try this one pa55w0rd yours says Good and Goggle say Fair.
This is interesting to me as I would of thought a common method of choosing a password is to replace letters with numbers that look like them?
March 9, 2009
Quote
Hi Adam!
Thanks for that. I hadn’t really considered substituting letters for numbers in the algorithm. I think I’ll implement a method to check for this. It shouldn’t be too difficult.
The hints feature is already incorporated into the PHP. I’m just trying to figure out what would be the best way to present them to the user.
March 9, 2009
Quote
I have now added some very basic dictionary checking after a leet substitution. This is live in the demo now. Let me know what you think.
March 9, 2009
Quote
Also, after experimenting a little more… I don’t thing Google are actually doing any dynamic leet checking. Instead, they are probably using a database to identify common leet passwords. I tried “p4s5w0rd” and Google responds with “Strong”.
I may implement levenshtein or similar_text functions. These functions can be used to check the similarity of the password to real words. I would suggest that “passwordz” is a weak password. However, since this is not in the dictionary, and I can’t think of a way to distinguish where a good position would be to split the password and perform dictionary checking, levenshtein should work perfectly. Although, this may be going a little overboard.
March 10, 2009
Quote
Impressive! Thats working great!!
March 12, 2009
Quote
Hmmm. Still need to check for repeated characters and common character combinations. For example:
1111111111111… , 12345678910 & abcdefghijklmno
Not sure how I’m going to implement this just yet.
March 16, 2009
Quote
Hi Homar .. gr8 wrk n helpful information,
I tried this 123456aA ,
google says “GOOD”,
yours says “STRONG”
March 16, 2009
Quote
Hi Satya!
Whilst it is doubtful that any password crackers will contain strings such as this in their dictionary, it’s obviously not a particularly strong password. I will be updating the script to check for series combinations.
March 17, 2009
Quote
Nice script, good job.
March 25, 2009
Quote
Can you make an application out of this or is this strictly code?
March 28, 2009
Quote
How do you mean? The code is currently not available as it is still being developed. But… after I have made the code public, you will be able to do pretty much whatever you want with it (except sell it). You could integrate it into existing applications or create a completely new application from it.
March 30, 2009
Quote
All of the passwords I entered were very strong passwords (I use KeePass).
A nice implementation for your finished version would be to possibly show a STAR rating, maybe as high as 10?
Or even better, how KeePass does it, and display how many bits a password is?
April 4, 2009
Quote
hey,
check out this similar open source software below
http://sourceforge.net/projects/passwordgeek
April 4, 2009
Quote
Interesting, but this is an executable. My script uses only PHP and JavaScript and is designed to be integrated into a website (e.g. for display on a registration page). Also, the application does not protect against hybrid-dictionary attacks or leet.
April 6, 2009
Quote
Wouldn’t it be easier to do a google search and based on the number of results estimate the password strength ? Say, less than 100 hits is strong etc. ?
April 8, 2009
Quote
Yes, but this is intended to be integrated into applications. Can you really suggest to a user to enter his password into Google in order to identify whether it is resistive to attacks?
April 8, 2009
Quote
I have now added the hints feature. You can see a list of hints by clicking the strength output from my algorithm in the demo. I will almost certainly improve this graphically at a later date.
April 19, 2009
Quote
nice man! doesn’t always comply with google though
May 21, 2009
Quote
Very interesting algorithm. Looking forward to the publicly available version of this script.
Keep up the good work.
May 28, 2009
Quote
Hi.. seems interesting.
i tried some password like :
i\-/o&dT2;dnS0Ru
and
d4HOyICnIg0>+\;Q
both of them i generated randomly using my own source code.
but it haven’t gone to any algorithm to check it strength.
actually, i need an algorithm to check it so i could get some password that hard to guess..
thanks..
July 16, 2009
Quote
Any News, any Progress?
July 29, 2009
Quote
Just a few notes. It seems like checking for series is implemented, but there is an issue with alternating series that you might want to look at. At first, these passwords look strong, but interweaving is an easy pattern to add to a dictionary attack program. It’s a little long, but I’ll post a few examples below, using the series 1-0 and qwertyuiop, alternated. I tried others, and they mainly provided similar results, with lots of disagreance between your algorithm and google’s.
1q2w3e4r
Yours: Good
Google’s: Fair
1q2w3e4r5t and 1q2w3e4r5t6y
Yours: Strong
Google’s: Fair
1q2w3e4r5t6y7u
Yours: Weak ←Not sure why it suddenly becomes weak
Google’s: Fair
1q2w3e4r5t6y7u8i
Yours: Strong ←at 16 characters, it returns to strong
Google’s: Good ←and google’s bumps up to “good”
September 4, 2009
Quote
excellent idea… very good..
September 14, 2009
Quote
Works very good. Where Google would say Good or Strong, your algorithm would say Weak or Good. It felt safer.
November 16, 2009
Quote
I tried a number of the passwords from this online generator website ( http://cuddlycactus.com/passwords/ ) and your script seems to be producing some very good results.
November 18, 2009
Quote
Good job!
Anyway I tried some difficult combinations like
A…//..//n#$!@..5
and second one
a8%2m2)laA
It’s strange because your script show me WEEK but GOOGLE show STRONG.
It looks like you are striping special chars like “.”, “/”, “@” and others. I added some numerics and lower case strings and it’s still week in your algorithm.
ps. Can you send php scripts to me ?
Thanks
Lukas
simplestyle.pl
November 19, 2009
Quote
It’s pretty good it does almost everything I was looking for:
Word recognition, require special chars and number.
I will also modify it to do it for reverse word, like tomato and otamot.
Good job,
PS: I suppose you cound send it to my mail.
PS2: there was a bug when i copied “otamot ” from this text it doesn’t show any message and if we try wih a space it work again…
December 24, 2009
Quote
seems that google has a large database of passwords, plus, google did check for length of password, that is why 1q2w3e4r>1q2w3e45t6y7u, maybe it should be multiplied by length with a factor
December 28, 2009
Quote
The length is incorporated into the dictionary, hybrid and brute-force equations. However, you need to understand that a long word found in the dictionary is not more secure than a shorter string of random characters.
I’m staying well clear of “fudge factors”, empirical correlations etc.
January 29, 2010
Quote
if you try to type http://www.google.com as password.Your algorithm say it’s strong while google say fair
February 2, 2010
Quote
When I just tried it, both algorithms report strong. And rightfully so! Such passwords can only be judged from environmental variables.
Google is recognised as a word. However, the rest is considered no-sensical. It is unlikely that the dictionary will contain URLs or even domains. Such passwords would probably be found using brute force attacks.
February 11, 2010
Quote
Excellent, great, Awesome job
February 12, 2010
Quote
I was playing around with it and found with ‘maidenname’ yours gave me ‘Weak’ whilst Google said it was ‘Strong’ - Id say yours was better
February 27, 2010
Quote
I like you script so much .. but can i ask how i will sho there a progressbar ie. Poor to Strong instead of button. ?
Thanks and Regards
Raaj
May 26, 2010
Quote
Excellent, great, Awesome job
May 27, 2010
Quote
Really nice script . I was wonder how they make it but now seems easy.
June 3, 2010
Quote
Learnt something new again, Thanks
June 24, 2010
Quote
Very nice bit of script, very useful for larger user websites. Seems very ’strong’ and not at all ‘weak’.
June 25, 2010
Quote
it might be dolls, lightweight dolls.
June 28, 2010
Quote
Very good script
July 20, 2010
Quote
your comment…
July 22, 2010
Quote
You should also consider sequences “123456789″, “qwerty”, “abcdefgh”, etc