Good and Bad Password Strength Checkers

I’ve found only two good online password strength checkers, Passfault and Kaspersky Secure Password Check. The others I’ve tried are pretty bad. Even with those two decent checkers, you’ll be better off if you use randomly generated passwords instead of trying to think up good ones.

In the recently reported Yahoo security breach, lots and lots of passwords were stolen, in their hashed form. It turns out the passwords had been stolen two years earlier.

And now people keep spreading the same debunked advice on how to make “unbreakable” passwords. They claim that as long as you mix upper and lower case, digits, and punctuation, you’re safe. This has been debunked and satirized, but people keep spreading this advice.

Test Your Old Yahoo Password

Check your former Yahoo password (the one you’ve changed since the breach was reported, right?):

  1. Go to Passfault.
  2. Type your old Yahoo password but don’t hit Enter or click Analyze yet.
  3. Click Show Options.
  4. Under Cracking Hardware, pick “Government cracker ($500,000 machine).” Yahoo reports that a foreign power did this, so we’ll pick this option to try to simulate that situation.
  5. Under Password Protection, pick “Unix BCrypt Hash,” which is what Yahoo uses.
  6. Click Analyze. The site will estimate how long it would take to crack your password.

If the result is less than two years, the attackers have had plenty of time to crack your password.

If the result is in centuries, the attackers have had only a small chance of success against your password.

You can test your old Yahoo password against the Kaspersky Secure Password Check as well, but note that Kaspersky assumes the use of an average home computer – an attack by amateurs instead of a government with lots of equipment and expertise available.

The Problems With Weak Strength Checkers

The ancient password wisdom about password complexity is a case of misapplied math. The thinking was that if you drew from a larger character set, the attacker’s job was harder. They’d invoke the math that if you had L characters in your password, drawn from a character set of N characters, the attacker would have to try N^L (N to the Lth power) possible combinations in order to get your password. They point out that 8 characters drawn from the whole North American keyboard (95^8) gives far, far more possibilities than 8 lower case letters (26^8).

What’s wrong with that formula? It’s the wrong mathematical model for what really happens.

It applies only to randomly generated passwords, not human-chosen passwords. Very few people use randomly generated passwords. By the way, claiming that “nobody would ever guess THIS password” is not the same as a randomly generated password. A password manager or an online password generator can give you randomly generated passwords that are far stronger than anything you’d make up on your own.

The usual misguided usage of that formula assumes that if you’ve used ANY characters of a particular type (upper case, lower case, digits, or punctuation), that’s as good as using ALL of them. For example, the flawed GRC strength checker assumes that as soon as you change “password” to “Password”, you’ve gone from 26^8 to 52^8. If you also add a digit to the end, GRC claims you’ve now created 62^9 possibilities. How on earth does capitalizing one character and adding one digit create that much improvement? It doesn’t. “Password1” could be cracked within a fraction of a second. The formula 62^9 would be relevant only if you used a rich, random mix of upper case, lower case, and digits.

Put yourself in the attacker’s shoes. The attacker already knows the most common passwords. They know they’ll get a lot of passwords very quickly if they try those. A mere 50 guesses will catch a lot of passwords. If they try a “dictionary attack” of the most common 10,000 passwords, for example, they’ll crack a lot of passwords quickly. Of the remaining uncracked passwords, the attacker knows that if you’re required to include at least one capital letter, it’s probably the first character, and if you’re required to include at least one digit, it’s probably the last. Therefore, if they brute-force their way through the pattern ULLLLLLD (one upper case, six lower case, one digit), their next (26^7)*10 guesses will catch a lot of passwords. The weak strength checkers would have you believe that the attackers have to go through 62^8 possibilities, but it turns out that searching only a small fraction of those possibilities will have a big payoff. The attacker could eventually be faced with 62^8 guesses, but not until they’ve already picked a lot of the low-hanging fruit. They might not even bother with the full workload of guessing all possible passwords.

What’s the Answer?

Use a password manager that will generate long, random passwords for you – a different password for every site you care about. You’ll need to remember your master password for the password manager, but not all the individual passwords.

Use two-factor authentication wherever it’s available. That way, even if your password is guessed or stolen, the bad guys still don’t have enough info to log in as you. If a site doesn’t offer two-factor authentication, using a password manager with long, random passwords is still a lot safer than self-chosen passwords.

Avoid using the flawed password strength checkers that make really bad assumptions about how password attacks work. You can use  Passfault and Kaspersky Secure Password Check for some realistic assessments, but you won’t need them if you use a password manager and two-factor authentication.

Jim Becker