How reliable is a password strength checker?

Question

I've tested the tool from Microsoft available here which tests password strength and rates them. For a password such as "i am going to have lunch tonight", the tool rates it's strength as "BEST" and for a password such as "th1$.v4l" it rates it as "Medium".

I'm wondering how important password length really is. In this case the first password is better according the their tool but is it really better? It's based on dictionary words and has no combination of numbers and other characters besides spaces, and seems very easy to crack (not considering brute force).

Is that tool giving precedence to length instead of actual strength ?

Answer 1

"Not considering brute force" - that's exactly what these tools measure.
Obviously they dont try social engineering, or trying to discover if it's the user's first girlfriend's dog's birthday. The attacker might know that, but these tools don't.

What they do measure is simply the difficulty for a bruteforcing tool to crack it. Not even the entropy of the password, which is an attribute of the generation method, just an estimate of how long it would take a bruteforcing tool to successfully find the correct password.
Obviously, entropy has an effect on this, but it is only total entropy that matters, not entropy-per-character. So yes, having a lot of equi-probable options for each character does add to the entropy, but length can play an even more important part in making a password uncrackable, by raising the entropy-per-character to a higher power, by character count. This makes for a much higher total entropy, which is the only thing that matters.

So, in your case - yes, the 32-character, alpha-only passphrase is much stronger than the 8-character punctuation password.

---

I'm gonna try and do the maths here for a bit: (please correct me when I'm wrong):

If we assume standard US-style keyboard, there are 85 possible printable characters (possibly be able to scrape a few more, but lets go with this for now): lowercase letters + upper case letters + numerals + standard punctuation + space.
This grants ~6.3 bits strength per character; at 8 chars length the password gives you ~50.4 bits strength.
Note really very strong... Even if we throw in a few more "special" characters, you're not going to upgrade that very much.

Now, for your 32 character, alpha-only passphrase...
Let's assume lowercase and uppercase letters only (even though you didnt use any), plus a space (U+32). Not even numerals...
That gives you 54 possible characters, around ~5.8 bits per character. At 32 chars long, thats over 185 bits strength. Substantially stronger. And that's even without numerals, which are usually accepted even in "simple" password schemes.

---

Bruce Schneier often talks about how switching to long memorable passphrases would be much more secure than short, randomized weird-looking passwords.
Now you see why.

Answer 2

You're worried that because the passphrase uses dictionary words, it might be easier to crack than something that must be brute-forced.

tl;dr: This is a valid theoretical worry, but right now it's not a practical concern.

"I am going to have lunch tonight" is a five word phrase using words out of the most common 5000 in the English language. Naively, guessing it is isomorphic to guessing a 5 letter password in a 5000 letter alphabet, which is 3x10^18 possibilities. That's about the same as a 10 character password using upper and lowercase, numbers, and symbols.

Of course, a smart enough cracking program could reduce this considerably. The sentence is standard English prose, which follows such strict rules that it has an information entropy rate of around 1 bit per letter. That means your phrase has 33 bits of entropy, making it only as complex as a perfectly random password of 5 printable ASCII characters.

That's not very complex.

However, to exploit that lack of complexity, you would need a specialized "English passphrase cracker" which could optimize something like markov chain modeling into kernels for GPGPU processing. To the best of my knowledge, nothing like that is even in development at this time. So unless someone with the resources to create that software wants your passphrase, you should be safe for quite a while.

Answer 3

Entropy is a strange thing to measure.

NIST Special Publication 800-63, Electronic Authentication Guideline ncludes guides for estimating password strength:

Entropy varies greatly depending on whether a password is selected by a user or is generated randomly. Statistically, guessing the first character of a password selected by a user is tough, but guessing the second is easier and the third is easier yet. The NIST guidelines give the first character 4 bits of entropy when using the 94 characters available on standard keyboards, but only 2 bits for each of the next seven characters, and so on.

Randomly selected passwords do not display patterns, so each character carries the same level of entropy, about 6.6 bits.

This means an eight-character password selected by a user has 18 bits of entropy, while a random password the same length has about 52.7 bits.

In other words, if you can determine the first 3 characters of my password are

Awe

Then the odds of the next character being s are way, way higher than it being *.

So when we say a password character can be any character, that's not really true; most people use words that have strong patterns in them and implicitly reduce the possible set of the following characters -- thus producing a password with lower entropy (randomness).

Answer 4

I am not sure how "i am going to have lunch tonight" is dictionary vulnerable, its a seven word phrase. Where "th1$.v4l" is a two word phrase with a character join, and character substitution something that password crackers have dealt with since forever it seems.

A few password testers use cracklib+ajax like tests with a small rule base to weed out your "this.val" password.

Answer 5

The question of the reliability of password strength checkers also extends to the security of the checker in general. It is scary to see a proliferation of online password strength meters. You're unnecessarily exposing your password to some site out there on the internet! Even local applications for password checking may be nefarious. Claims that the site uses javascript and never transmits the password over the Internet cannot be trusted. Some password strength testing sites are surely run by black hats, who just add them to their dictionaries along with whatever other information they can gather about you. Other sites are run by people with good intentions, but possibly bad implementations, like a vulnerable server, or lack of https. And still others are vulnerable to attacks by "the authorities" who have ways of compelling the site to reveal e.g. the passwords submitted by certain IP address ranges.

I suggest that anyone who uses such a site should never submit a password they actually intend to use.

Answer 6

Length is almost everything when trying to defend against brute force attacks.

Even the basic password crackers allow 1337-speak style substitutions, so in your example you are effectively comparing a 7 word passphrase with a 2 word passphrase.

As long as you have long passphrases (where the exact definition of long may vary depending on your needs, but should at least be over 13 chars to make the odds of a rainbow table attack minimal) you force an attacker to try other forms of attack, such as social engineering; finding out where you wrote the passphrase; holding your cat hostage etc.

Answer 7

Theoretically, "password strength meters" cannot work. The tool only sees the outcome of the password generation process, while the password "strength" is really a property of the process. See this answer and then that answer for details.

The best a password strength meter application can give you is how much time it would have taken it to break your password -- in other words, it assumes that the attacker runs the exact same code and knows nothing more about you. This is not a reasonable assumption in practice: the attacker, when he attacks you, is, well, after you, specifically. Relying on a password meter for security is like praying that all attackers will be incompetent: that's a kind of "leap of faith".

Answer 8

Looking at the Javascript for that Microsoft tool it seems that it only has a limited list of dictionary words (See Lines 264 onwards in the js file), so that might explain why your passphrase is getting a higher rating than perhaps it should.

I personally would recommend this password strength tester it gives a good breakdown of the elements that make up your password and tells you how it can be improved. It rates your password "i am going to have lunch tonight" at 56% and your second password "th1$.v4l" at 74% which seems more realistic.

However, this tool doesn't use any wordlist at all -- your passphrase is marked down just for being all lower case, while "i am going to have lunch tonight!" gets 98%. You can draw your own conclusions about how useful the %age ratings are.

In regards to the affect on length on cracking time checkout this article. Note that its from way back in 2009, though, and GPGPU-based password crackers can now manage 10^9/sec (the "class F" highest level of attack in the article) on a single gaming/workstation PC with a $500 GPU card.

Answer 9

I saw a comic in the newspaper recently. Or maybe it was a digital copy online of a comic, I dont recall.

It illustrated this very debate. And I will now explain to you the point it made:

Just because a password is short doesnt mean its easy to guess, as in the case with "th1$.v4l". But just because a password is long doesn't mean its easy to guess either, as in the case with "i am going to have lunch tonight".

The fact of the matter is, no serious human hacker is going to sit there and guess your password. They might use dictionary words, but those dictionaries dont contain every possible sentence. Just words.

Nope, what hackers do (when they have exhausted a typical dictionary of WORDS), is they usually have the computer go systematically through every possible combination. Beginning to end. If they are forced down this path, the shorter the password, the worse. The longer, the better. Regardless if there are digits or symbols. Digits and symbols only matter to humans remembering and humans guessing. To a computer, they are the same thing... a sequence of 1's and 0's... and it makes no difference.

Do yourself a favor. Keep it long but simple. Short and complex might cost a hacker time, but long and simple will do the same thing. The question is, do you want a password that is easy to remember or hard to remember?

Answer 10

Well, if you define the strength of a password as its difficulty or likelihood of being cracked, then almost counter-intuitively, the strength of a password is more a function of its length than its difficulty to remember.

When a potential attacker knows nothing about your password and can only use brute-force to crack your password, a longer password that's much easier to remember, like

"i am going to have lunch tonight"

will take more time to crack than

"th1$.v4l"

simply because there are more characters that the attacker would need to guess correctly in order to crack the password. The longer passwords present a larger search space to exhaust, give your needle (password) a much bigger haystack to hide in.

Answer 11

Well all password strength checker tools verifies how much effort it will take to find the password using brute force and dictionary attack.

like if you compare your results here of both password.

http://www.passwordmeter.com/

"th1$.v4l" is

Strong password with 74%

"i am going to have lunch tonight" is

Good password 56%

this password will take less time to crack using brute force.

Answer 12

Password strength can only be estimated by you alone or by someone else if you tell them how you create your passwords. For example, if I use a random password generator that uses a 50-character set and my password is 8 characters long, my password will be 1 among approximately 3.9×10¹³ or 2⁴⁵. If I use Chinese Pinyin-based passwords and my password is a phrase of 4 words, given that each word is out of a possible 2,050, my password is 1 out of a possible 1.8×10¹³. The average Pinyin romanization of a Chinese character is about 3 to 4 characters long making a "4-word" password about 16 characters. Yet, this Pinyin password is weaker than the 8-character password generated from a character set of 50.

If an attacker knows how a password was generated (let's say by examining the plain text passwords stolen from a few insecure sites) by a certain person, they have the knowledge necessary to lower the difficulty of brute-forcing by a lot! Because they know that you are not using all of the possible characters on your keyboard anymore, they can eliminate impossible combinations and save time.

The next time you generate a password, think about the algorithm/method you are using to generate one. Using Password Safe to generate a 21-character password out of a 72-character set (+-=_@#$%^&<>/~\?abcdefghijkmnopqrstuvwxyzandABCDEFGHJKLMNPQRTUVWXY346789), you get approximately 1.0×10³⁹ possible combinations or 130-bits of security.

Answer 13

Password strength checkers are, as a rule, not very reliable. They tend to rely on overly simplistic calculations which assume attackers will only attempt to guess your password by trying every possible combination of characters, an assumption which is rarely true in practice.

In reality, a motivated attacker can come up with all sorts of different strategies for guessing your password, some of which no password strength checker may ever have been programed to consider.

For example, the password "!QAZXSW@#EDC" might look pretty random, until you realize I wrote it by pressing a very simple pattern of keys on a standard English keyboard. An attacker using a program designed to guess keyboard-layout-based passwords could easily crack such a password in minutes. (And indeed, Have I Been Pwned's Pwned Passwords Checker indicates that this exact password has already been used and cracked multiple times.) Similarly, "i am going to have lunch tonight" might seem strong to your typical password strength checker, but it could be easily cracked by an attacker using a program designed to guess common English sentences.

There are password strength checkers which are better at this sort of thing than others (ZXCVBN, for example, can detect the keyboard-pattern-based password I gave above and give a more realistic strength estimate) but ultimately it is not always possible to tell how strong a password is just by analyzing the password itself. It isn't safe to assume that just because the password strength checker you're using can't guess what method you used to choose your password, that an attacker trying to guess your password won't. That assumption is known as "security by obscurity" and it's considered bad practice to rely upon in the information security community.

So what should you do instead? Choose your passwords randomly, preferably using a source of randomness like dice that can't be weakened by natural human biases. That way, even if you assume the attacker knows exactly how you generated your password, you can still easily calculate how many guesses the attacker would have to try before correctly guessing your password.

Diceware is a good example of such a method for generating passwords. Four random Diceware words will take 7776⁴/2 = ~1.83 quadrillion guesses on average for an attacker to guess, even if they know the exact list of words you chose your password from. Passwords generated by a password manager are strong for similar reasons.

For more information on how to choose passwords securely, I recommend Thomas Pornin's answer to "XKCD #936: Short complex password, or long dictionary passphrase?", which goes into detail on password entropy and how to calculate the strength of a randomly-generated password.