How to test password strength

Question

My very first question and I am happy to see that the algorithm did not come close enough.

My question is about the strength of a particular string to be used as a password. Is the length and mix of characters (upper and lower case letters, numbers, and other special characters) the only measures of the strength of the password that we have to work with?

Is there anything else that we can add to the mix to make strong passwords? What I am thinking about is control characters like the when we used to send a form feed to a printer back in the days. Could we use these kind of key combinations to add to passwords?

Thanks for any help.

Waseem

Answer 1

Theoretically, the strength of a password is the number of tests it would take to guess it. In pure mathematical terms, it's the number of possible characters in the character set raised to the power of the length of the password. But the real measure of strength of a password is "how long will it withstand an attacker?"

We all know that most user-selected passwords don't take advantage of the full character set, because complex passwords contain too much entropy for a human to easily remember. So, most passwords consist of natural language words with slight modifications; vastly reducing the number of passwords that an attacker has to test. In other words, adding the ability to hit the control key won't make any users actually hit it, meaning it won't add much to the effective strength.