4

In password strength calculator is there an algorithm to determine the keyboard pattern? there could be thousands if not millions of patterns that could be generated with a standard qwerty keyboard. How does a password strength calculator find the strength of password from keyboard pattern?

Jackline
  • 81
  • 2
  • ...there is no general algorithm, they only check for specific cases such as `qwertyuiopasdfghjklzxcvbnm`. – LegionMammal978 Nov 22 '15 at 01:36
  • @LegionMammal978 that's not true; any cracking system that tests multi-word patterns with a good cracking dictionary will see lots of "words" in passwords like `1qazsadf` containing `1qaz`+`asdf`. See [my answer](https://security.stackexchange.com/questions/106163/how-is-strength-of-password-calculated-from-standard-keyboard-patterns/106395#106395) below. – Adam Katz Nov 24 '15 at 22:50

3 Answers3

2

There are many algorithms and libraries to implement this. Each has its strengths and weaknesses. zxcvbn is one of the more commonly referenced ones. It is reasonably well documented and open source. The best ones use a combination of algorithms and dictionaries of common passwords.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • StackExchange founder Jeff Atwood has a nice writeup on this kind of thing, called [Your Password is Too Short](https://blog.codinghorror.com/your-password-is-too-damn-short/), on his blog too (it references that zxcvbn writeup) – Adam Katz Nov 24 '15 at 20:59
1

Generally, a good password dictionary takes care of this sort of thing in a dictionary attack.

Even a simple cracking dictionary should have common passwords like 1qaz2wsx and "words" like asdf and zxcv. Cracking programs like John the Ripper do this sort of thing. Its author even sells its wordlist for password cracking.

Even a dictionary lacking a password like asdfghjkl; but containing words like asdf and jkl would see a reduced entropy when they compose asdf+gh+jkl+; (the entropy of word+letter+letter+word+special is about 48 bits, which can be cracked in a few hours if stored as an MD5, compared to an 8-char random printable password's 52 bits. Learn more about entropy caluclation). More realistically, the entropy of that ten character password is far far lower since you must assume a cracking dictionary has asdfghjkl (entropy becomes ~20, crackable in milliseconds) if not the whole string.

The same will go for most keyboard patterns while the rest will contain smaller "words" that will indeed be recognized, always reducing the entropy down to something that would crack in seconds to a veteran attacker.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
0

The following is true if the characters are picked randomly.

The standard US Qwerty keyboard has 96 unique characters. This means each character picked randomly adds about 6.6 bits of entropy. If you have an eight character password, then entropy would be 8 * 6.6 = 53 bits

If you are only using alphanumerals (62 characters -- no special characters) then each randomly picked character adds 6 bits of entropy. In that case, 8 character password would have 8 * 6 = 48 bits of entropy. That's more than enough for online account where brute force is detectable.

For offline account 12 characters (72 bits) would be enough. Even the US government will have to put serious computing effort (millions of dollars) to brute force 72 bits, especially as passwords are usually hashed with something like bcrypt or PBKDF2 which makes brute forcing expensive.

Once again, this all is true if characters are picked randomly (by software or shuffled cards or something) If humans are picking the characters then the entropy would be lower.

user12480
  • 186
  • 1
  • 5