P@s$w0rdz: Testing Passwords

Measuring Strength | How Strong Should Your Passwords Be? |
Information Entropy | Tester: zxcvbn


1pw testMeasuring Strength

  • Your passwords are probably weaker than you think -- you can test below.
  • Different web sites might evaluate the same password differently:
    Poor / Good / Excellent labels and 'strength gauges' are inexact/relative.
  • A password manager generally assesses password strength accurately.
  • mac testPerhaps your OS offers a built-in tester, e.g. macOS Password Assistant.
  • Like password generators, password testing apps / sites may be safe -- or not.
  • Obtaining an "information entropy" value can provide more confidence
    about a password's strength -- and unpredictability.
quadrillion years
"How Secure is my Password" by jasonpearce
is licensed under CC BY-NC-SA 2.0

How Strong Should Your Passwords Be?

  • Current recommendation: passwords should have 'high' entropy: 75+
  • zxcvbn entropy scores and 'cracking times' are estimates.
  • Password breaches are ongoing, hackers learn new tricks,
    and processing speed continues to increase.
  • "Future proof" your passwords (to some extent) by making your passwords
    even longer and stronger than seems necessary now.
  • It doesn't "cost" anything using a PM to create and enter strong passwords
    even for seemingly unimportant sites -- why not?
  • A few random passwords generated by 1PW, with E values from zxcvbn (v 4.4.2):
  • 4-word random phrase: E= ~78 -- lengthen or modify for esp. important passwords
  • 5-word random phrase: E= ~94 -- strong enough?
  • 64 random chars: E = ~212 -- no need to test
  • 100 random chars: E = ~330 -- no need to test

max permutations = RL

E = log2(RL)

E = log2(10'guesses_log10')

E = 'guesses_log2(bits)'
Information Entropy (Math Alert!)

  • Longer, more complex passwords are stronger -- no surprise -- but how much stronger?
  • R: the Size of character set (# of possibilities): 0-9, A-Z, a-z, punct.!, dictionary list -- larger is stronger
  • L: to the power of the Length of password sequence (number of characters / words) -- longer is stronger
  • E: Information Entropy is related to the number of possible 'permutations'
    ('combinations' where order does matter):
  • the log function yields "bits of entropy" -- a more manageable (smaller) number than total permutations
  • guesses_log10, guesses_log2 are estimates from zxcvbn tester (covered below)
  • entropy is decreased by recognizable words / patterns, e.g., 12345, pet/sports names, popular phrases/quotes,
    keyboard sequences, etc. and cracked password lists -- common is weaker, since hackers usually try these first
  • Higher entropy means less predictable, i.e., more attempts / time to guess or crack by brute force

Tester: zxcvbn

  • My favorite strength tester zxcvbn provides an entropy value with annotations.
  • zxcvbn is trustworthy since it's open source code;
    also, zxcvbn does not log passwords; however, if you're concerned,
    turn off internet access after loading page to run locally.
  • demo zxcvbn form: click below demo label to highlight input field; enter a password to test;
    E = log2(10'guesses_log10'); in Google: log2(10^guesses_log10)
  • Compare old and new zxcvbn algorithms: includes log2 calc;
    E = 'guesses_log2(bits)'