75

I've tested the tool from Microsoft available here which tests password strength and rates them. For a password such as "i am going to have lunch tonight", the tool rates it's strength as "BEST" and for a password such as "th1$.v4l" it rates it as "Medium".

I'm wondering how important password length really is. In this case the first password is better according the their tool but is it really better? It's based on dictionary words and has no combination of numbers and other characters besides spaces, and seems very easy to crack (not considering brute force).

Is that tool giving precedence to length instead of actual strength ?

AviD
  • 72,708
  • 22
  • 137
  • 218
iijj
  • 759
  • 1
  • 6
  • 3
  • 8
    I wonder if anyone has built a Markov model based brute forcer for pass phrases. – Stephen Paulger May 25 '11 at 11:07
  • 3
    There are already available rainbow tables for NTLM and MD5 to crack any password up to 8 character long using all characters on the keyboard. The set for "lower alpha, numbers and symbols" is only 400GB large, the one for full space is about 600GB large. – Hubert Kario Aug 16 '11 at 09:51
  • 5
    [Relevant XKCD](http://xkcd.com/936/). – kba Dec 28 '11 at 21:04
  • @StephenPaulger, Care to elaborate on how a "markov model based brute forcer" works? – Pacerier Apr 11 '14 at 18:19
  • 4
    @Pacerier Markov chains can store the frequency words are used together, so if you start your password phrase guess with a word you could try the more likely associated words first. That's the fastest I can try to explain what I meant, there are many things describing the concept online if you want to know more. – Stephen Paulger Apr 15 '14 at 16:03
  • Reviving an old thread, to add an old citation, but: _Castelluccia, Claude & Dürmuth, Markus & Perito, Daniele. (2012). Adaptive Password-Strength Meters from Markov Models._ – msanford Jun 26 '20 at 14:07

13 Answers13

60

"Not considering brute force" - that's exactly what these tools measure.
Obviously they dont try social engineering, or trying to discover if it's the user's first girlfriend's dog's birthday. The attacker might know that, but these tools don't.

What they do measure is simply the difficulty for a bruteforcing tool to crack it. Not even the entropy of the password, which is an attribute of the generation method, just an estimate of how long it would take a bruteforcing tool to successfully find the correct password.
Obviously, entropy has an effect on this, but it is only total entropy that matters, not entropy-per-character. So yes, having a lot of equi-probable options for each character does add to the entropy, but length can play an even more important part in making a password uncrackable, by raising the entropy-per-character to a higher power, by character count. This makes for a much higher total entropy, which is the only thing that matters.

So, in your case - yes, the 32-character, alpha-only passphrase is much stronger than the 8-character punctuation password.


I'm gonna try and do the maths here for a bit: (please correct me when I'm wrong):

If we assume standard US-style keyboard, there are 85 possible printable characters (possibly be able to scrape a few more, but lets go with this for now): lowercase letters + upper case letters + numerals + standard punctuation + space.
This grants ~6.3 bits strength per character; at 8 chars length the password gives you ~50.4 bits strength.
Note really very strong... Even if we throw in a few more "special" characters, you're not going to upgrade that very much.

Now, for your 32 character, alpha-only passphrase...
Let's assume lowercase and uppercase letters only (even though you didnt use any), plus a space (U+32). Not even numerals...
That gives you 54 possible characters, around ~5.8 bits per character. At 32 chars long, thats over 185 bits strength. Substantially stronger. And that's even without numerals, which are usually accepted even in "simple" password schemes.


Bruce Schneier often talks about how switching to long memorable passphrases would be much more secure than short, randomized weird-looking passwords.
Now you see why.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • 2
    What was your method of calculating bit strength per character? – Steve Mar 24 '11 at 17:50
  • 3
    @SteveS - I took a trivial calculation, of how many possibilities there are in the acceptable range (for each character, 85|54 possibilities), and translated that into how many bits are required to represent those possibilities. Admittedly this was a pretty rough estimation, back-of-the-napkin type calculation, not very lab-worthy (hence the approximations), but I think it's still relatively representative. – AviD Mar 24 '11 at 18:55
  • 7
    Excellent answer @AviD. If only more people did the math (and software vendors quit with the arbitrary "Sorry, your password must be between 8-16 characters" size limitation I would be a much happier man. – Dan McGrath Jun 02 '11 at 13:13
  • 3
    appendix A here goes through the same calculations. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf –  Jun 13 '11 at 16:16
  • 3
    @Graham very interesting. That doc actually has different results, mainly because I was referring to a completely random selection of characters, whereas the NIST doc smartly takes user choice into account - i.e., not random, and hence less bits of entropy per character. I think the NIST doc is more correct than my answer here - but still not sufficient, if you're going that way knowledge of the user should be taken into account too, not just language features. However, at that point it's no longer a question of entropy bits anyway... and regardless, this q was specifically about bruteforce... – AviD Jun 13 '11 at 17:00
  • The calculation is more like 6.3 bits * 8 characters vs. 7 random words out of, say, 2048 (11 bits) each, so 50-something vs. 77 bits of entropy. You even need to shave off some more bits from the passphrase to account for grammar. OTOH, you have to scrape quite some bits off the traditional password if you want it to be memorable. See also http://xkcd.com/936/ - the result of that analysis, 28 vs. 44 bits, is actually quite accurate. – tdammers Dec 28 '11 at 19:25
  • @tdammers you're correct of course, if you analyze the passphrase as a set of words (or even a proper sentence), however as I noted I was treating it as a series of letters, without grammar etc, as per the intent of the original question. Also see the previous comments, re the NIST calculations... – AviD Dec 29 '11 at 00:52
  • The original question boils down to "does it check length or strength", and the answer is "both". A good passphrase is still stronger than a good short password even if you treat it as a sequence of words, not characters. And obviously, a six-word passphrase that makes sense grammatically has lower entropy than six randomly chosen English words; picking a famous movie quote reduces the entropy even further. – tdammers Dec 29 '11 at 10:17
  • Again, I absolutely agree with you @tdammers, that a passphrase would be stronger, regardless. However the OP was asking about *tools*, and those tools do not relate to it as a sequence of words, but as a long series of letters. As mentioned, you are correct both in that treating it as a grammatically correct sentence, not to mention proper dictionary based words, would lower the entropy, and also that that entropy is still higher than that of a simple password. – AviD Dec 29 '11 at 17:52
17

You're worried that because the passphrase uses dictionary words, it might be easier to crack than something that must be brute-forced.

tl;dr: This is a valid theoretical worry, but right now it's not a practical concern.

"I am going to have lunch tonight" is a five word phrase using words out of the most common 5000 in the English language. Naively, guessing it is isomorphic to guessing a 5 letter password in a 5000 letter alphabet, which is 3x10^18 possibilities. That's about the same as a 10 character password using upper and lowercase, numbers, and symbols.

Of course, a smart enough cracking program could reduce this considerably. The sentence is standard English prose, which follows such strict rules that it has an information entropy rate of around 1 bit per letter. That means your phrase has 33 bits of entropy, making it only as complex as a perfectly random password of 5 printable ASCII characters.

That's not very complex.

However, to exploit that lack of complexity, you would need a specialized "English passphrase cracker" which could optimize something like markov chain modeling into kernels for GPGPU processing. To the best of my knowledge, nothing like that is even in development at this time. So unless someone with the resources to create that software wants your passphrase, you should be safe for quite a while.

user502
  • 3,301
  • 1
  • 23
  • 18
  • 3
    Very important for this is also that unless the attacker knows your password is formatted like this, it's not a tool they'd use. Even with the relatively small possible number of passwords it's an awful lot to run through "just in case" - especially over a network connection. – Phoshi Mar 24 '11 at 16:29
  • 2
    It's important to note that if I deliberately misspell a single word, like "lunch" as "lunnch", the complexity is immensely increased. – AndSoYouCode May 28 '12 at 09:37
  • 2
    Increased, yes, but not "immensely". All an attacker has to do is include some common errors in the dictionary. If you add on average one typo/misspelling per word, that's doubled your dictionary size, adding one more bit of entropy per word. So that's some value, but not as much as just switching from a phrase to truly-random words. – rosuav Aug 30 '18 at 18:18
  • 3
    I think this answer could use some updates, things have changed in the past ≈8 years. Those are actually top-1600 words or so, but more importantly: https://github.com/initstring/passphrase-wordlist ... it seems people have started developing the tools to crack non-random passphrases. – derobert Jan 11 '19 at 18:57
15

Entropy is a strange thing to measure.

NIST Special Publication 800-63, Electronic Authentication Guideline ncludes guides for estimating password strength:

Entropy varies greatly depending on whether a password is selected by a user or is generated randomly. Statistically, guessing the first character of a password selected by a user is tough, but guessing the second is easier and the third is easier yet. The NIST guidelines give the first character 4 bits of entropy when using the 94 characters available on standard keyboards, but only 2 bits for each of the next seven characters, and so on.

Randomly selected passwords do not display patterns, so each character carries the same level of entropy, about 6.6 bits.

This means an eight-character password selected by a user has 18 bits of entropy, while a random password the same length has about 52.7 bits.

In other words, if you can determine the first 3 characters of my password are

Awe

Then the odds of the next character being s are way, way higher than it being *.

So when we say a password character can be any character, that's not really true; most people use words that have strong patterns in them and implicitly reduce the possible set of the following characters -- thus producing a password with lower entropy (randomness).

Jeff Atwood
  • 4,552
  • 6
  • 26
  • 29
14

I am not sure how "i am going to have lunch tonight" is dictionary vulnerable, its a seven word phrase. Where "th1$.v4l" is a two word phrase with a character join, and character substitution something that password crackers have dealt with since forever it seems.

A few password testers use cracklib+ajax like tests with a small rule base to weed out your "this.val" password.

hpavc
  • 349
  • 1
  • 4
  • 1
    So what are you saying exactly? That the first password is more secured even if it's made up of common dictionary words with no other special characters? – iijj Mar 24 '11 at 11:13
  • 12
    @iijj, thats exactly correct - length is more important. – AviD Mar 24 '11 at 13:14
8

The question of the reliability of password strength checkers also extends to the security of the checker in general. It is scary to see a proliferation of online password strength meters. You're unnecessarily exposing your password to some site out there on the internet! Even local applications for password checking may be nefarious. Claims that the site uses javascript and never transmits the password over the Internet cannot be trusted. Some password strength testing sites are surely run by black hats, who just add them to their dictionaries along with whatever other information they can gather about you. Other sites are run by people with good intentions, but possibly bad implementations, like a vulnerable server, or lack of https. And still others are vulnerable to attacks by "the authorities" who have ways of compelling the site to reveal e.g. the passwords submitted by certain IP address ranges.

I suggest that anyone who uses such a site should never submit a password they actually intend to use.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
  • 1
    See, where you miss the point is that you probably already intend to use the site. Adding a "Password Strength Checker" does not add to your risk. If they really are nefarious they will just not encrypt your password and take it, no need for a whole "Password Strength Checker" ruse... – Dan McGrath Jun 02 '11 at 13:20
  • 1
    @dan - to clarify, I'm talking about the third-party hosted code pointed to in the original post and by others. Of course, if a site I'm creating a password on provides a checker of their own (which they host, securely, etc), then there is just some more attack surface, but at the same site. – nealmcb Jun 02 '11 at 14:16
7

Length is almost everything when trying to defend against brute force attacks.

Even the basic password crackers allow 1337-speak style substitutions, so in your example you are effectively comparing a 7 word passphrase with a 2 word passphrase.

As long as you have long passphrases (where the exact definition of long may vary depending on your needs, but should at least be over 13 chars to make the odds of a rainbow table attack minimal) you force an attacker to try other forms of attack, such as social engineering; finding out where you wrote the passphrase; holding your cat hostage etc.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
7

Theoretically, "password strength meters" cannot work. The tool only sees the outcome of the password generation process, while the password "strength" is really a property of the process. See this answer and then that answer for details.

The best a password strength meter application can give you is how much time it would have taken it to break your password -- in other words, it assumes that the attacker runs the exact same code and knows nothing more about you. This is not a reasonable assumption in practice: the attacker, when he attacks you, is, well, after you, specifically. Relying on a password meter for security is like praying that all attackers will be incompetent: that's a kind of "leap of faith".

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
5

Looking at the Javascript for that Microsoft tool it seems that it only has a limited list of dictionary words (See Lines 264 onwards in the js file), so that might explain why your passphrase is getting a higher rating than perhaps it should.

I personally would recommend this password strength tester it gives a good breakdown of the elements that make up your password and tells you how it can be improved. It rates your password "i am going to have lunch tonight" at 56% and your second password "th1$.v4l" at 74% which seems more realistic.

However, this tool doesn't use any wordlist at all -- your passphrase is marked down just for being all lower case, while "i am going to have lunch tonight!" gets 98%. You can draw your own conclusions about how useful the %age ratings are.

In regards to the affect on length on cracking time checkout this article. Note that its from way back in 2009, though, and GPGPU-based password crackers can now manage 10^9/sec (the "class F" highest level of attack in the article) on a single gaming/workstation PC with a $500 GPU card.

Misha
  • 2,739
  • 2
  • 20
  • 17
Mark Davidson
  • 9,427
  • 6
  • 45
  • 61
  • Seems like a great tool, thanks. Does the overall score imply that it is harder to crack ? – iijj Mar 24 '11 at 11:16
  • 1
    other than the fact that it requires typing you password in to a form over http... – Yaur May 23 '11 at 03:07
  • @Yaur the tester does not send your password across the net at all. It assesses the strength using locally executed JavaScript. – Mark Davidson May 23 '11 at 08:06
  • 1
    @Mark Davidson that is a difficult thing to verify and something that would need to be done on an ongoing basis. – Yaur May 23 '11 at 08:12
  • 3
    @Yaur I disagree. Verification is fairly simple, use firebug net monitoring mode and you can watch all activity to and from the site. You could also monitor it using wireshark. – Mark Davidson May 23 '11 at 08:58
  • @Yaur You could alternatively use something like `pwqcheck` under Linux and verify the source code manually. – Mark Davidson May 23 '11 at 09:00
  • 1
    Evaluating password quality is very hard. Your recommended checker gave "Very Strong"/"97%" for the password "Dog ate homework!"... Perhaps doing a google search for the password would be a better metric? That "password" gives 6000 hits so it probably is not that great: http://lmgtfy.com/?q=%22Dog+ate+homework!%22 – Mikko Rantalainen Mar 08 '13 at 10:58
  • FYI, the password strength tool you suggested told me "Password1!" was "Strong". (Which it obviously isn't; in fact it's so weak I could probably crack it with a few seconds of manual guessing.) As other commenters have noted, evaluating password strength is _much_ harder than you seem to be implying. – Ajedi32 Feb 19 '19 at 16:08
4

I saw a comic in the newspaper recently. Or maybe it was a digital copy online of a comic, I dont recall.

It illustrated this very debate. And I will now explain to you the point it made:

Just because a password is short doesnt mean its easy to guess, as in the case with "th1$.v4l". But just because a password is long doesn't mean its easy to guess either, as in the case with "i am going to have lunch tonight".

The fact of the matter is, no serious human hacker is going to sit there and guess your password. They might use dictionary words, but those dictionaries dont contain every possible sentence. Just words.

Nope, what hackers do (when they have exhausted a typical dictionary of WORDS), is they usually have the computer go systematically through every possible combination. Beginning to end. If they are forced down this path, the shorter the password, the worse. The longer, the better. Regardless if there are digits or symbols. Digits and symbols only matter to humans remembering and humans guessing. To a computer, they are the same thing... a sequence of 1's and 0's... and it makes no difference.

Do yourself a favor. Keep it long but simple. Short and complex might cost a hacker time, but long and simple will do the same thing. The question is, do you want a password that is easy to remember or hard to remember?

3

Well, if you define the strength of a password as its difficulty or likelihood of being cracked, then almost counter-intuitively, the strength of a password is more a function of its length than its difficulty to remember.

When a potential attacker knows nothing about your password and can only use brute-force to crack your password, a longer password that's much easier to remember, like

"i am going to have lunch tonight"

will take more time to crack than

"th1$.v4l"

simply because there are more characters that the attacker would need to guess correctly in order to crack the password. The longer passwords present a larger search space to exhaust, give your needle (password) a much bigger haystack to hide in.

3

Well all password strength checker tools verifies how much effort it will take to find the password using brute force and dictionary attack.

like if you compare your results here of both password.

http://www.passwordmeter.com/

"th1$.v4l" is

Strong password with 74%

"i am going to have lunch tonight" is

Good password 56%

this password will take less time to crack using brute force.

  • http://www.passwordmeter.com/ is nice tool as for password statistics but the final strength number is not good. Consider password: "1111111111111111111111111111111111133333336666666666546546644646". The score is 0%. That's nonsense. I like the tool http://password-checker.online-domain-tools.com/. It allows you to do a dictionary check too. – Martin Vseticka Feb 03 '13 at 12:38
3

Password strength can only be estimated by you alone or by someone else if you tell them how you create your passwords. For example, if I use a random password generator that uses a 50-character set and my password is 8 characters long, my password will be 1 among approximately 3.9×1013 or 245. If I use Chinese Pinyin-based passwords and my password is a phrase of 4 words, given that each word is out of a possible 2,050, my password is 1 out of a possible 1.8×1013. The average Pinyin romanization of a Chinese character is about 3 to 4 characters long making a "4-word" password about 16 characters. Yet, this Pinyin password is weaker than the 8-character password generated from a character set of 50.

If an attacker knows how a password was generated (let's say by examining the plain text passwords stolen from a few insecure sites) by a certain person, they have the knowledge necessary to lower the difficulty of brute-forcing by a lot! Because they know that you are not using all of the possible characters on your keyboard anymore, they can eliminate impossible combinations and save time.

The next time you generate a password, think about the algorithm/method you are using to generate one. Using Password Safe to generate a 21-character password out of a 72-character set (+-=_@#$%^&<>/~\?abcdefghijkmnopqrstuvwxyzandABCDEFGHJKLMNPQRTUVWXY346789), you get approximately 1.0×1039 possible combinations or 130-bits of security.

Kevin Li
  • 601
  • 4
  • 6
  • Ten random selections from a list of four thousand common words will give about the same password entropy, while still being easy to type or transcribe if you ever need to. Length makes a HUGE difference, even with all-lowercase ASCII-only. – rosuav Aug 30 '18 at 18:24
1

Password strength checkers are, as a rule, not very reliable. They tend to rely on overly simplistic calculations which assume attackers will only attempt to guess your password by trying every possible combination of characters, an assumption which is rarely true in practice.

In reality, a motivated attacker can come up with all sorts of different strategies for guessing your password, some of which no password strength checker may ever have been programed to consider.

For example, the password "!QAZXSW@#EDC" might look pretty random, until you realize I wrote it by pressing a very simple pattern of keys on a standard English keyboard. An attacker using a program designed to guess keyboard-layout-based passwords could easily crack such a password in minutes. (And indeed, Have I Been Pwned's Pwned Passwords Checker indicates that this exact password has already been used and cracked multiple times.) Similarly, "i am going to have lunch tonight" might seem strong to your typical password strength checker, but it could be easily cracked by an attacker using a program designed to guess common English sentences.

There are password strength checkers which are better at this sort of thing than others (ZXCVBN, for example, can detect the keyboard-pattern-based password I gave above and give a more realistic strength estimate) but ultimately it is not always possible to tell how strong a password is just by analyzing the password itself. It isn't safe to assume that just because the password strength checker you're using can't guess what method you used to choose your password, that an attacker trying to guess your password won't. That assumption is known as "security by obscurity" and it's considered bad practice to rely upon in the information security community.

So what should you do instead? Choose your passwords randomly, preferably using a source of randomness like dice that can't be weakened by natural human biases. That way, even if you assume the attacker knows exactly how you generated your password, you can still easily calculate how many guesses the attacker would have to try before correctly guessing your password.

Diceware is a good example of such a method for generating passwords. Four random Diceware words will take 77764/2 = ~1.83 quadrillion guesses on average for an attacker to guess, even if they know the exact list of words you chose your password from. Passwords generated by a password manager are strong for similar reasons.

For more information on how to choose passwords securely, I recommend Thomas Pornin's answer to "XKCD #936: Short complex password, or long dictionary passphrase?", which goes into detail on password entropy and how to calculate the strength of a randomly-generated password.

Ajedi32
  • 4,695
  • 2
  • 26
  • 61