2

Very similar to this question at Wordpress Development, but intentionally asked here.

A password, that contains:

  • at least one capital letter,
  • at least one small letter,
  • at least one number and
  • at least one non-alphanumeric character,

is considered moderate to strong (sometimes even very strong) on all systems, that I've been using so far... except Wordpress, where it is considered very weak.

What am I missing here? Am I dreaming, that password like above are at least moderate, while they're actually very weak (and person, who made Wordpress Network's password strength meter is right) or someone at Wordpress has passed some borders and is treating moderate passwords as very weak, while they're actually moderate?

trejder
  • 3,619
  • 5
  • 24
  • 35
  • 2
    Just using those rules, your question suggests that `qW2!` would be a `moderate` or `strong` password. The strength indicator of wordpress seems to be based on length as well as type of characters. Eg, it seems that I need 10 somewhat random all-lowercase characters to get `strong`, but if I include all possible characters, I can get `strong` with 7 characters. So the strength indicator of wordpress makes sense to me. – tim Apr 02 '15 at 19:32
  • 1
    @tim. Yes, of course! But, then again... According to [an answer given at WD](http://wordpress.stackexchange.com/a/183063/17323), they're using `zxcvbn` library by Dropbox. I used it to verify a password, that I'm usually using is considered as _strong_ by Wordpress / Dropbox checker. While it [turned out to be so weak](http://security.stackexchange.com/q/78771/11996), that I wasn't able to continue registration on Samsung. I begin to think, if we're not falling into some kind of paranoia. How can the same password be considered _strong_ by one checker and _to weak to continue_, by another? – trejder Apr 02 '15 at 20:18

2 Answers2

3

There are different ways to measure password strength. Most sites probably do as you think, which is some formula that takes into account special characters, capital letters, numbers, etc. and the combination thereof. Another way, which it sounds like WordPress might employ, is measuring password strength by entropy.

In information theory, as the linked Wikipedia article says, "Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss."

You can test whether WordPress works in this manner by gauging how strong it calls your password as you simply make it longer (they probable include bare minimum length and complexity). It is actually quite likely they are using a hybrid version of these.

armani
  • 2,658
  • 20
  • 20
2

What is "password strength"? In most people's minds, it's the difficulty factor malicious actors would have when they are trying to guess your password. Password strength meters generally answer a slightly different question: how many iterations would it take someone to guess your password if they were guessing every possible character combination in order starting with 'A' through 'z', then 'AA' through 'zz' and so on, a technique known as brute forcing.

What's the difference? Those two things aren't the same because you don't know how fast the bad guys are guessing nor what technique they're using to guess. "Your password would take 1 year to guess" is utterly meaningless without context. How fast they're guessing is usually dependent on the method the server used to store passwords because the most common time they're guessing passwords is when they've hacked a site and downloaded the database of user info. If the hacked server was storing passwords in plaintext, then bad guys can figure it out regardless of your password "strength". Commonly, servers won't store passwords directly and will instead store the output of one way functions like MD5 and SHA. At that point the bad guys can't take the output and figure out the input; they have to guess the input and run it through the function to see if the outputs match. Modern password cracking software can leverage GPUs and make billions of guesses every second, and if you see a site that calculates "years to crack your password" it's generally assuming this scenario with bad guys who are brute forcing their guessing. Sites with better security, like updated versions of Wordpress, will use these functions on the password and then use them again on the output and again and again, so that it may take a few milliseconds extra for the server to log you in but the bad guys will only be able to guess thousands of passwords a second in these sorts of attacks.

And what if they're not brute forcing? A password of "passwordpasswordpasswordpasswordpassword" would take a very long time if bad guys were guessing every single letter combination, but if they were using a modern password cracking tool they'd be able to guess concatenations of words from their dictionary and would probably be able to guess that one a lot faster than "ogNeTJeB6w5YhRsy972c". I haven't seen a password strength meter that actually uses a good dictionary of leaked passwords, yet that's exactly what your password will be up against if a site you've registered with gets compromised.

None of that background directly answers your question, but I think it's necessary to understand in order to answer whether or not a password with those 4 characteristics is "strong". The answer is somewhere between "it depends" and "it doesn't matter". If a vulnerability in your site has allowed a malicious actor to download your list of hashed passwords, whether there's a special character in your admin password isn't actually all that important. But if your 50 character password with high ASCII characters is the same password you use on every site, and you've registered on a site that stores passwords in plaintext, and that site gets hacked, your password strength (by our first definition) has just become very weak. And if you're asking this question, my guess is that you are reusing your password and you're worried that this password you've used all over the internet might not be as great as other password strength meters have led you to believe. That habit is really what's making your password "weak", not whether it contains capital letters.

I gave a TEDx talk on this last year, which I'd recommend watching if you want the 14 minute version of this post. If you want "strong" passwords, use password management software like KeePass, LastPass, or OnePassword to have a different password on every site, and lock your database with a Diceware password.

Aron Foster
  • 1,204
  • 2
  • 11
  • 19