I was scouring the internet looking for a freely available "Password Strength Meter" script. You’ve probably all come across them. The vast majority are useless. They’re useless because they use mainly empirical methods to determine the strength of a password. Whilst empirical methods may provide a good estimate for the strength of a password subject to a brute force attack… Most don’t consider dictionary or hybrid-dictionary attack mechanisms.
If you’ve signed up for a Google account, you will have seen Google’s own password strength meter. Google’s password strength meter is unique in that it identifies whether the password would be easily cracked under a dictionary attack. However, Google hasn’t made the source code available to the public. So… I thought I’d make my own.
Firstly, I wanted my algorithm to calculate the strength of a password using statistical analysis. Essentially, the algorithm should approximate the ammount of time it would take to crack a password subject to the following attack mechanisms:
- Dictionary Attack
- Brute Force
Before I run over the math, I should say that I am not a statictician, although I am pretty good with applied mathematics.
In order to calculate the strength of a password subject to a dictionary attack, we must start by determining how many "real" words exist containing 1 to n letters; where "n" is the length of the password. We should also consider that the password will, on average, find the password after searching through half of the n-letter words. We can express this mathematically as follows:
Brute Force Attack
In order to calculate the strength of a password subject to a brute force attack, we simply consider the number of character combinations possible for a password of length 1 to n letters. The number of possibilities exitsing is a function of both the password length and character diversity. In this sense, the diversity of a password depends on whether upper case letters, lower case letters, numbers and symbols are used. The diversity of a password containing only lower case letters is 26. This is because there are 26 letters in the english alphabet.
Note that we again take the coefficient of a half for the final term. I explained why this is done in the dictionary attack section above. What I found very interesting is how the strength of a password subject to a brute force attack varies as we change the diversity and length. Many of the algorithms I have come across give a greater weight to the diversity. I.e. they assume that the diversity of a password has a greater impact on the strength. This is often not the case. My only guess as to why they do this is that they have no way of identifying whether a password is vulnerable to a dictionary attack. Hence, they make the assumption that passwords containing numbers and/or symbols will not be vulnerable to a dictionary attack.
This type of attack is particularly difficult to model accurately. Hence, I am going to estimate that the strength of a password undergoing a hybrid dictionary attack is simply the "dictionary strength" multiplied by the "brute force strength" of the suffix/prefix:
Calculating The "Real" Strength
The equations above allow us to calculate the strength of a password. However, we now need to make sense of the result. To do this, we can create a scale by estimating the speed at which a computer is capable of attempting to crack the password. Obviously, this value will change significantly as time passes as it is determined by the processing power of the cracker’s computer. Hence, I recommend that you change/tweak the setting in the PHP script. By default, this is set to 2,000,000 passwords per second.
The PHP script then uses this speed to calculate the time it would take to crack the password. I have defined a strength rating to a range in time (e.g. 0 < time < 1 day). You can change or add more ratings as you please.
Where Can I Download This?
Before I make the script public, I’d appreciate some feedback. You can request additional features by posting a comment below. Please also post any passwords that you feel the script does a poor job of estimating the strength for.