Passwords are a weak link in the computer security chain because they rely on us being good at something we find extremely difficult.
And while we aren’t getting any better at choosing strong passwords, password cracking hardware and software continues to improve relentlessly.
Website owners can employ a range of measures to help users choose better, stronger passwords and one of the most popular techniques is to include a password strength meter.
The meters are designed to help users understand if their password choices will resist attempts to crack them.
The trouble is, they don’t quite do that.
The Theory
The best way to determine how difficult it is to crack a password is to try doing just that.
But attempting to crack passwords requires lots of time and lots and lots of processing power, and it isn’t a practical solution for websites.
The next best option is to try to work out what characteristics passwords that are difficult to crack share, and to check for those instead.
Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example.
That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.
A brute force attack assumes that all guesses are equally good.
The reality is that some guesses are far better than others because our password choices are not random – they’re underpinned by patterns and habits.
Modern password cracking is about making smart guesses in the order that’s most likely to yield the greatest number of cracked passwords for the least effort.
Attackers can feed their cracking software with huge repositories of real words and then create rules to modify those words in the same way we do when we create passwords.
They know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them. They know that we use 0s instead of Os and 4s instead of As, and they know that we tend to put our upper case letters, special characters and numbers at the beginning and end of our passwords.
To illustrate the difference, I thought I’d run a test on the kind of password strength meters that web developers are likely to include in a website.
The Test
I chose five truly awful passwords and then tested them using the first five embeddable password strength meters I found…
The Passwords
I downloaded a list of the 10,000 most common passwords and quickly chose five that had characteristics I thought password strength meters might overrate:
- abc123 – number 14 on the list, first to mix letters and numbers
- trustno1 – number 29, second to mix letters and numbers
- ncc1701 – number 158, registration number of the USS Enterprise
- iloveyou! – number 8778, first with non-alphanumeric character
- primetime21 – number 8280, longest with letters and numbers
Be in no doubt, these passwords are dreadful and offer no useful protection; they’re short and non-random, they include dictionary words, the numbers are always tacked on the end in a predictable way, and they appear in a list of words anyone can download off the internet.
Just in case you’re still not convinced about how bad they are I’ll show you.
I measured how long it takes to crack them using a password cracking program, John the Ripper, with an out-of-the-box configuration running on a normal, two-year-old laptop. The times are rounded to the nearest second:
| Password | Time to crack (Day:Hour:Min:Sec) |
|---|---|
| abc123 | 0:00:00:00 |
| trustno1 | 0:00:00:00 |
| ncc1701 | 0:00:00:00 |
| iloveyou! | 0:00:00:00 |
| primetime21 | 0:00:00:00 |
They were all cracked instantly, before the first second was up. And I was doing it the slow way – a dedicated password cracker would use proper equipment.
The meters
To make this as realistic as possible I tested strength meters that come as jQuery plugins.
If you asked a web developer to add a password strength meter to your website there’s a very good chance they’d use a jQuery plugin – a bit of code that can be dropped into almost any website to extend its functionality.
I googled jquery strength meter and picked the first five I came across so, according to Google at least, these are five of the most popular.
I’ve included the same words (abbreviated) and colours that the password strength meters use in my chart:
| Password | 1 | 2 | 3 | 4 | 5 |
|---|---|---|---|---|---|
| abc123 | Weak | Weak | Good | Weak | Weak |
| trustno1 | Norm. | Weak | Good | Norm. | Weak |
| ncc1701 | Med. | Weak | Good | Weak | Weak |
| iloveyou! | Med. | Good | Good | Med. | Weak |
| primetime21 | Med. | Good | Good | Med. | Med. |
Remember that it takes 0 seconds to crack any of these passwords. None of the passwords on my list were anything less than awful.
A password strength meter that doesn’t reject all five out of hand is not up to the job of measuring password strength.
They all failed. And not only that, they don’t agree.
There were no good password strength meters in my test but that doesn’t mean there aren’t good ones out there. Unfortunately, because you don’t which one you’ll be using next time you type a password into a website you can’t trust any of them.
I’m not the only one who’s noticed that password strength meters don’t deliver.
Researchers at Concordia University, Montreal published detailed research in 2014 that concluded:
In our large-scale empirical analysis, it is evident that the commonly-used meters are highly inconsistent, fail to provide coherent feedback on user choices, and sometimes provide strength measurements that are blatantly misleading.
There is, however, a faint glimmer of hope.
Research from Microsoft that looked at the success of password strengthening techniques in the real world concluded that despite their inadequacies, password strength meters lead to stronger passwords:
Those who saw a meter tended to choose stronger passwords than those who didn’t, but the type of meter did not make a significant difference.
So, password meters are not a reliable guide to how likely it is that your password will be cracked but they do seem to nudge people in the direction of creating stronger passwords in general.
If you want to know how to be sure that you’re generating strong passwords take a look at our video on how to pick a proper password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of tick courtesy of Shutterstock.
tom
I use a password manager on my home pc. I don’t access any personal accounts from any other computers. I have my passwords saved to USB drive that does not leave my computer desk. My boss asked me to check my personal e-mail at work one day, I told her I can’t, I didn’t know the password, there was a pause on the phone, and I told her the above. I’m the network admin, so I suppose she thought I was doing it for a reason. A month later she freaked about hearing a news piece on ransomeware. She really didn’t get the seriousness of hacking and security until then.
Freonpsandoz
But what do you use as a password for the password manager?
Ian
The closest I’ve seen to a ‘good’ password strength indicator is ‘zxcvbn’ by the makers of Dropbox. It isn’t a website you can visit but a piece of software you can plug into other websites. It does some very clever things to recognize bad passwords, including having a massive database of insecure passwords. So the password “this is a test” is significantly LESS secure than “this is a tes”, whereas traditional strength indicators will see it as more secure. I include it in all my projects where a password is required.
For my own passwords I use a password manager like Tom, except I use one that syncs across all my machines for convenience.
Mark Stockley
Yes, I’ve heard good things about the Dropbox password strength meter although I’ve not had a good look myself.
I believe it’s mentioned in the first set of research I cite and I know that it was adopted by WordPress from version 3.7 onwards for its quality.
The database of bad passwords is really important – indeed, IIRC, the second bit of research I cited went to far as to suggest that a list of bad passwords is probably a better place to start than many other methods of ensuring password quality such as poor quality strength meters and password policies.
mryeah
There is a website you can visit: [deleted]
msbob
This is the best I have seen. Not only does it rate the password, it shows time to crack by various cracking speeds, and notes when it’s a commonly used password. I tested, “3edc4rfv5tgb”, which might seem strong and it shows a crack in less than a 1 second to 32min on a fast cracker and also that it’s in a known database!
Freonpsandoz
I set up a Dropbox account, but I can’t find any password checker. I think that this capability is no longer offered by Dropbox.
waterlink
It’s not a service offered by Dropbox. It’s an open-source code library, source of which is hosted on Github right now: https://github.com/dropbox/zxcvbn
Freonpsandoz
That link is now broken.
Paul Ducklin
Deleted the link, thanks.
Mark Stockley
Anton Dedov has done some excellent work evaluating password strength meters and zxcvbn does OK.
http://password-policy-testing.wikidot.com/results
Jim
There are so many rules one could follow that WOULD make good passwords; it’s a shame people don’t use them as much. Simple things like:
Capitalize the SECOND letter of words instead of the first. Or the last.
Put a punctuation mark or number in the middle of your password. Preferably in the middle of a word. But, NOT as a replacement character.
Repeat previous with a number, but again, not replacing a letter.
Deliberately miszspell a word. (Just make sure your misspelling accidentally creates two real word, like “missspell” (“miss” & “spell”) would have if I added an “s” instead.)
Paul Ducklin
Or watch the video :-)
Ix9h6lA8
All incredibly weak rules and tricks. And I don’t mean that as an insult or anything. What you’re describing still takes dictionary words or natural language in any case as a basis and simply applies some methodology of butchering it. Those rules can easily be descripted in a password cracker’s code. And go through all of the possible combinations stupidly fast.
Best still is to just go literally random. Simply because the only avenue of attack that leaves open is bruteforce and that one is very easy to counter — going wide. 16 completely random characters is already harrowing for most bruteforce attacks. Now extend that to 32. Or heck, like my Mojang account’s password — 512. Yeah, that’ll never be bruteforced.
Anonymous
yeah but you’ll also never remember it on your own.
I use an algorithm I’ve memorized which incorporates the name of the site into it, but only for coming up with the characters to use – no substitutions or dictionary words. the result is 32+ char passwords that are random enough to count.
Deramin
Passfault is an interesting open source project to address many of these inadequacies. http://www.passfault.com/ Not sure if it’s still active.
I think there would be real value to displaying what password meter was being used with a link to it’s methods. Then you could at least decide for yourself if you trust it.
Mark Stockley
Regarding the implementation details I think that’s a good idea. Most people won’t bother to look but some will and we could use a bit of an arms race.
I tried a few of my dreadful test passwords on passfault and the results are highly ambiguous. For example abc123 is rated at less than 1 day to crack and is identified as one amongst 5 million passwords with the same pattern. It is, but that’s missing the point – abc123 is not just another six character alphanumeric string. It doesn’t have a one in five million chance of being guessed it has about one in fourteen.
For abc123 the only right answer is total rejection in my opinion. zxcvbn seems to be trying to do the things you’re talking about.
Lee
the rule of thumb that everyone should be aware of: dictionary/social attack.
1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.
2. if your password is mentioned anywhere on the web, such as a phrase in any language (real or made up), it is insecure and can be ‘cracked’ within 5 seconds. – google can show you the time it takes for its own search engine to match your search words, use this as a guide if you truely believe your poetry (even fake languages) will save you.
3. if your password has anything to do with YOU! :> not just d o b, any address you live(d) at, phone numbers, car reg plate, anything you type on facebook/twitter/social media; your password can be ‘cracked’ in 10 seconds.
This might seem like ‘tin hat’ but these 3 rules are more accurate than you think, possibly even being too generous with the time required.
Paul Ducklin
The time taken by Google to match a search query is unrelated to the time it takes to guess a password that consists of that search string.
Otto Baak (@rossoq)
I don’t understand one thing – how does a PW cracker know that the PW has been cracked without trying it on the site that requires it?
It should be that 3 tries locks the site perhaps for some fairly lengthy time so extending cracking time.
Please advise – thanks.
Mark Stockley
Passwords need to be able to withstand two completely different types of attack; offline and online.
If a hacker is performing an online attack then rate limiting can be extremely effective as you suggest, reducing the number of guesses to perhaps 8,000 a month per user.
If a hacker can steal the password hashes then they don’t have to type anything in to a website and rate limiting does not apply. They can make as many guesses as they like at the fastest speed they can manage.
I cover this in more depth in the article “Do we really need strong passwords?”.
https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/
Kat
I’ve seen apps vanish or become unusable when the developer orphans them (Why spend $200 + on some apps that may do that?) I don’t trust anything I need to one source or sometimes two. My photos are stored in 3 separate locations, my passwords in 2. One location is encoded in a way I’ve not heard anyone else do and strength checkers that explain why (a facsimile) is weak or strong rates them highly.
I’ve used Donald Watson’s technique of using the first letter of each word, adding numbers, etc and it was pointless as a means to remember.
Make sure to check out the entire range of special characters since there may be more than expected.
Redundancy though. It provides me some peace of mind.
Tony Flaherty
when I was explaining this to staff during Inductions etc. I would talk about two types of attack on their password, and we’ve seen them all in the movies, Brute force, where Bruce Willis plugs a gizmo into the computer he is trying to hack and you see it trying all the possible passwords and social knowledge where Bruce Willis looks around the desk that the computer is on and then types in the name of the owners dog which is handily visible on a picture on their desk. whilst these are not brilliantly accurate examples of how attackers carry out these techniques it allows a dialogue from where you can expand your explanation. Because people are familiar with seeing these on TV it makes it more real to them, or at least helps get the message across.
mcortese
Lee does not provide any evidence for this sentence: “1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.”
A password made of 4 unrelated English words, all lowercase, is still one in tens of million of millions and cannot be guessed within 1 sec without specialized hardware.
John Smith
“Lee does not provide any evidence for this sentence: “1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.”
A password made of 4 unrelated English words, all lowercase, is still one in tens of million of millions and cannot be guessed within 1 sec without specialized hardware.”
He is referring to the case where skilled hackers, working either for a government agency or a well-organized criminal enterprise gets a hold of the database of password hashes, after which cracking can begin at leisure. Given that these are professionals who do this for a living, either on salary or in exchange for a cut of the ill-gotten gains, they will have specialized software and hardware. Think Chinese military or Russian gang-financed hacker.
A strong password works to preserve your privacy because of a kind of triage. If your password hash can’t be cracked within a certain number of tries, the program presumably moves on to the next hash, rather than spend the next couple years working on yours. A strong password works for the person who uses it in the same way that a steering wheel lock convinces a car thief to move on to a softer target – a vehicle without such a lock.
Shade01982
And this is exactly why I have doubts about some of the theories here.
As someone who has worked closely with people specialized in things like this, I have seen a point at which it is no longer feasible or cost-effective to hack passwords. At that point, especially for groups with resources like you mention, it is much more effective to hack the actual system, so they can bypass security altogether. Hacking one person’s password will get you access to that person’s data. But bypassing security altogether will get you access anywhere. So, all the time we spend on making secure passwords, should not take our attention away from creating any actual security.
Take your home for example. One could spend hundreds (if not thousands) of dollars outfitting your front door with multiple locks, specialized security keys and locks, maybe even biometric security and so on and so forth. At that point, any burglar will understand it is just that much easier to just break the window next to it, bypassing your front door security. Not a completely 100% accurate comparison, but you get the idea.
A better example might be the scene from RED, in which Bruce Willis (yeah, him again) and Mary-Louise Parker stand in front of the CIA secure records depository and she asks him if he can open it. Upon which he answers “It can be hacked, it resets every six hours” (or something similar, it’s been a bit since I saw it). He subsequently proceeds to kick in the wall next to it to open the lock from there.
Mark Stockley
The point at which password crackers stop bothering is called the saturation threshold (Microsoft Research reckon that it’s reached – very roughly – when about 10% of passwords in a system have been cracked). After that it’s just not worth bothering to crack any more, either because the costs outweigh the rewards or because you’ve got enough access across the passwords you’ve cracked to compromise an entire network.
Your job as a user is to choose a password that is above the saturation threshold. Unfortunately you don’t know anything about the other passwords and cannot judge where the saturation point is for a given system. Your only rational choice is to pick a password that is likely to remain unguessed for a very long time against a determined and very well equipped adversary (for more on this see “Do we really need strong passwords?” https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/)
Your job as a sysadmin protecting a system is to focus on strengthening the passwords below the saturation point for your system. For more on this, see “Stop wasting time making the wrong passwords stronger” https://nakedsecurity.sophos.com/2016/11/23/stop-wasting-time-making-the-wrong-passwords-stronger/
Shade01982
We recently had a meeting with some security people regarding our NEN7510/ISO27001 status, at which point an interesting point was made.
The biggest problem with enforcing stronger and more difficult passwords is the people who have to use them. When the passwords become to difficult for people to just remember them. They create workarounds, potentially creating even bigger security hazards. And the eternal battle for security continues.
Mark Stockley
It depends on what you enforce, no?
Password research, and the advice that flows from it, has turned a corner in the last few years. There is a lot of old advice out there that seems like it ought to work which fails in the real world because, as you say, it actually pushes people into workarounds that weaken security.
It’s why NIST and other bodies have stopped suggesting you force users to update passwords on an arbitrary schedule (https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/).
Probably the most useful thing you can do to stop people choosing bad passwords is to simply block known bad passwords. You can protect yourself from bad passwords that slip through that check, and from the threat of password reuse, by blocking access after a few failed login attempts and adopting 2FA.
Shade01982
This is all very interesting information, I think I’m going to share this at work, if you don’t mind.
In the Netherlands, there is an organisation called Nictiz, which is often referred to for saecurity issues like this. However, I personally don’t agree with some of their guidelines. Their definition of 2FA for example is “2FA consists of one thing you know, and one thing you have”. By their definition, having a password and a personal ssl certificate is adequate security. However, since we deal with healthcare organisations, most of our users are going to be on the road or at home with patients. The risk of their hardware getting lost or stolen is quite high. This makes the second step in 2FA, having a personal certificate, almost completely ineffective, since any thief will now also have that certificate.
Ix9h6lA8
Well, the thing there is — why bother remembering them? Anything that can be remembered by default is weak. Because human memory simply is that… weak, by comparison anyhow. Best way still is to use a standalone password manager (so no MITM or otherwise is possible) and to rely on random passwords generated by the manager.
Yes, that still leaves the question of malware intrusion on the system the manager is run from but, honestly, if there’s the risk of that, password generation is the least of the security concerns to be worried about.
Shade01982
Well, your option does rule out certain options of intrusion mentioned above, so there’s that. Provided the password manager is sufficiently secure…
Anonymous
Do I have a good password then? My password is very random, I came up with it at the top of my head, and it had no words, it’s random numbers, symbols, and letters mixed together.
Bryan
post it here and we’ll tell you
:-)
Mark Mcduffee
I use a native american language dictionary for the word or words I use. plus random numbers followed by random special characters. I change passwords regularly and never use the same one twice. it seems to keep me safe from the prying eyes of hackers. I’ve never heard of hackers using the 1800 or so native american language dictonarys. thats why WW2 code talkers were so successful.
Miles O'Reilly
Obscurity is a lousy security mechanism. If you thought of it using rare language dictionaries, assume the hackers have too. It cost little or nothing to add an Inuit dictionary to the hacking database.
Paul Ducklin
Another problem with using a language you don’t understand (or a glossary of phrases that mean nothing to you) is that you have no obvious way of judging how suitable or rare your choice might be.
For example, to an American, a pair of words like “Stamford Bridge” might seem equal in rarity to “Surbiton Tunnel,” or “Old Trafford” might seem equal to “New Malden,” but a quick experiment with a search engine will reveal otherwise.
Juanita
Gentlemen, I believe you missed the part of Mark Mcduffee’s comment that clearly stated that he includes random numb3rs & symbo!s in his passwords , thereby creating a stronger password. He also stated that he changes it often & never uses the same one twice. Seems to be a more secure system of choosing a password than most.
Kolonel Panik (@kolonelpanik)
Juanita, what is your definition of random? From your example, it doesn’t seem likely to be valid.
Anonymous
What about 3-factor ID SW like Symantec’s offering to various companies?? Doesn’t that multiply the magnitude of the effort — even if your Password is hacked??? HeLLO???
Neil Hennessey
regardless does not contain the letter ‘U’, hence a good password option
The Wet One
So what if you have some random nonsense (well, not totally random, but some nonsense for a source well known and loved, but not like a novel, movie but rather a technical source of limited interest (like the part number of some car or remote control toy or something), split by a repeated figure, with a couple of symbols and upper and lower case characters thrown in for good measure and it’s 20 – 25 figures in total?
How’s that for a password?
Mark Osbourn
I agree with this. I tell my friends and clients to apply leeting of O=0 but use a mix of two lines from favourite films/songs/bands/albums eg. “We the people” and “In the air tonight” would be W3th3p30p13!nth3@!rt0n!ght. Easy to remember… bugger to crack
Alessandro Riolo
The main reason I wouldn’t trust online password meter is that they make the perfect honeypot for people collecting passwords for the dictionaries.
Ix9h6lA8
1 — They typically really on JavaScript to do the calculations on your PC, so the password is never actually transmitted over the web.
2 — Use it as an indicator. So, generate a dummy password that follows the guidelines of whatever password you wish to check and simply check that dummy password, to get an idea of how strong the actual password would be.
anachroinist
This article came out last month, titled “They Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time”: [link removed]
Apparently NIST just came out with new guidance to replace the 2003 guidance everyone is using these days (which requires mixed upper/lowercase, numbers, special characters). The new guidance advises against requiring different character classes, and recommends simply to use longer passwords.
Mark Stockley
Indeed. You can find a summary of NIST’s guidelines here: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
…and our write up of Bill Burr’s regrets here:
https://nakedsecurity.sophos.com/2017/08/11/why-nists-bill-burr-shouldnt-regret-his-2003-password-advice/
Ix9h6lA8
The problem is that you’re using weak (semi-)random passwords to check password strength indicators that are just doing it wrong. You can trust them and random passwords if you just do it correctly.
Having coded a password manager myself I can pretty much guarantee you one thing over any and all other things — the longer, the better. Forget silly rules or tricks, just go wide. And do not use any services that do not support going wide. The point is, the wider your password generation rules, the larger the set of possible passwords becomes and the longer it would take to crack it. To which end perfectly random (without any rules to avoid double characters or w/e) passwords that are as long as is allowed simply is the best.
Bruce
how does a password cracker know when it has cracked the password?
Paul Ducklin
Generally speaking, crooks who are trying to crack passwords have access to a list of hashed passwords stolen from a service provider:
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
The list of hashes is the very same database that the service uses to verify that a user supplied the right password (they store the hashes to avoid storing the raw password, which wouldn’t need cracking at all).
So the crooks try password after password against the hashed password for your account, just as the service provider would when you logged in, until they find a password that matches your hash.
Typically, they can’t crack passwords online because there will be some kind of rate limit imposed, precisely to stop anyone guessing too fast and often. But if you have a copy of the password database offline, then you get to set your own rate limit – i.e. none. You just keep guessing as fast as you can until you hit the jackpot (or give up).
Sometimes, a service doesn’t limit online guesses properly, so crooks can try passwords at high speed online. In that case (say, a web login portal) they can tell they’ve cracked the password by monitoring the reply sent by the server. When the “login error” message goes away and “welcome to XYZ” appears instead, they know they’ve done it…
Donald Watson
Here is a good way to make a memorable password that is hard to guess and you will rarely find in a database. Choose a set of words that are meaningful to you at the time. Take the initial letter of each word. Choose one or more to be capital and the remaining lower case; making sure to always have a mix of both. Now, in between each letter put at least one number and one special character. Make sure you have a minimum of three words and you will meet the minimum character requirements of most sites.
If you have to have a password greater that nine characters, simply add more initials of words or more numbers and special characters. Just make sure these are memory association related items.
I have several passwords using this technique that are greater than twelve characters and I have no issues in remembering them.
Paul Ducklin
Here is a slightly broader set of ideas, with some visuals to show you how you can do it:
https://nakedsecurity.sophos.com/2014/10/01/how-to-pick-a-proper-password/