Password strength

Question

Hey there, I wonder how to measure password strength best. I found two different pages: http://rumkin.com/tools/password/passchk.php and http://www.passwordmeter.com/

and they give completely different results about different passwords. Somehow it's obvious to measure in bit, but than it could be hard to tell how many different chars to take into account, e.g.:

let's say my password is aB*, than someone using brute-force would have to use special chars, upper and lower letters, thus ~60 different chars, i.e. 60^3 combinations. Thanks so far!

Answer 1

Just award a score based on certain characteristics of the proposed password:

• 1 point for each character in the password
• 2 points if it uses both numbers and characters and 3 points if it contains non-number or character symbols also.
• 2 points if it contains both uppercase and lowercase letters.
• -2 points for each word that can be found in a dictionary (though that might be more difficult to check).
• -2 points if a number can be representative of a year.

From that, take some examples of good and bad passwords and get an idea of what a good score would be.

Answer 2

This is the scheme i am using and it seems to work quite well.

Public Enum PasswordComplexityScore
    BadPassword
    MediumStrengthPassword
    GoodPassword
End Enum

Public Function CalculatePasswordComplexity() As PasswordComplexityScore

    Dim Score As Integer

    'If the password matches the username then BadPassword 
    If Password = UserName Then
        Return PasswordComplexityScore.BadPassword
    End If
    'If the password is less than 5 characters then TooShortPassword 
    If Password.Length < 5 Then
        Return PasswordComplexityScore.BadPassword
    End If

    Score = Password.Length * 4

    Score = Score + (CheckRepeatedPatterns(1).Length - Password.Length)
    Score = Score + (CheckRepeatedPatterns(2).Length - Password.Length)
    Score = Score + (CheckRepeatedPatterns(3).Length - Password.Length)
    Score = Score + (CheckRepeatedPatterns(4).Length - Password.Length)


    'If the password has 3 numbers then score += 5
    If CountNumbers() >= 3 Then
        Score = Score + 5
    End If

    'If the password has 2 special characters then score += 5
    If CountSymbols() >= 2 Then
        Score = Score + 5
    End If

    'If the password has upper and lower character then score += 10 
    If HasUpperAndLowerCharacters() Then
        Score = Score + 10
    End If

    'If the password has numbers and characters then score += 15 
    If HasNumbersAndCharacters() Then
        Score = Score + 10
    End If

    'If the password has numbers and special characters then score += 15 
    If CountNumbers() > 0 And CountSymbols() > 0 Then
        Score = Score + 15
    End If

    'If the password has special characters and characters then score += 15 
    If CountLetters() > 0 And CountSymbols() > 0 Then
        Score = Score + 15
    End If

    'If the password is only characters then score -= 10 
    If CountLetters() > 0 And CountNumbers() = 0 And CountSymbols() = 0 Then
        Score = Score - 15
    End If


    'If the password is only numbers then score -= 10 
    If CountLetters() = 0 And CountNumbers() > 0 And CountSymbols() = 0 Then
        Score = Score - 15
    End If

    If Score > 100 Then
        Score = 100
    End If

    If Score < 34 Then
        Return PasswordComplexityScore.BadPassword
    End If

    If Score < 68 Then
        Return PasswordComplexityScore.MediumStrengthPassword
    End If

    Return PasswordComplexityScore.GoodPassword

End Function

I have been using this in production for about 8 years now. I think I converted it from someone elses java script into vb6 then into vb.net.

I can post all the supporting functions if you want.

Cheers