very different results from online password strength tests

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

mappo

Member
Sep 25, 2021
14
1
Sweden
I've read through various lists of criterias for what a Good Password™ should look like, and wondered if this pattern passes while also it remains easy to remember:

Code:
C0de..........

That's: an uppercase c, the numeral zero, lowercase d, lowercase e and ten periods.
So it's 14 characters containing uppercase, lowercase, digits and symbols.

I then used various password strength test pages.
The reported estimation of time-to-crack varies from 1 minute (Bitwarden) to 2 billion years (WhatIsMyIP.com). Thanks, I learned nothing!

What's verdict from the forum members? Is it a feasible pattern?
 
Last edited:
@Steve's GRC's Interactive Brute Force Password “Search Space” Calculator says it will take 15.67 thousand centuries (assuming one hundred trillion guesses per second).

Note: This only determines how long it will take to crack your password using brute force. If an adversary can guess it using other means, they can certainly find it faster.
 
  • Like
Reactions: DanR
Strictly speaking, a password is an unknown quantity. (If the attacker knew it, they would just use what they know.)

Using what they know is what makes a password weak. If I know you used your Lastname and birthday as your password, I would have many less combinations to check than if I know nothing about it (or you.)

Assuming you have no shortcuts to guess a password, you're stuck trying EVERY possible valid password until you figure it out. If I know you only used lower case letters (and nothing else) and I know your password is no longer than 12 characters, then I would try every possible combination of lower case letters from every length from 1 to 12. This is 26 possibilities for the length 1 password, 26*26 possibilities for the length 2 password, 26*26*26 possibilities for the length three password, and so on up 26^12 for the length twelve password. If we add all these together, we get 26^1 + 26^2 + 26^3 + 26^4 + 26^5 + ... + 26^12. Mathematically this is just slightly larger than 26^12. Here's a worked example for a three character password:

Code:
26 + 26*26 + 26*26*26
26(1 + 26 + 26*26)
26*26 (1/26 + 1 + 26)
26*26*26 (1/26*26 + 1/26 + 1)

as you can see, when you factor out the powers of 26, you're left multiplying by a number just slightly larger than one, for the above example it's 1.039940828402366863905325443787 according to Windows calculator.

We can effectively round this to just the largest power, or 26^12. (Since it's okay to underestimate the actual strength, and also because in any attack, statistically you're likely to find the password at the half-way point, on average.)

That last bit is worth spending some time thinking about. If your 12 character password is "aaaaaaaaaaaa" then potentially my first guess with guess your password. (If I am working in the obvious linear approach.) So you conclude that the strongest password would be "zzzzzzzzzzzz". The problem with that is that not every attacker is going to try a strictly linear approach. They might assume that trying all 26 passwords composed of a single letter first is a good shortcut.

Accordingly, your absolute best password is one that is COMPLETELY random. And if you use a password manager, that remembers it for you, then you can easily achieve this "gold standard."

Based on complete randomness, and assuming your attacker can go very fast, let's assume they can try one billion passwords per second. 26^12 divided by one billion means it will take your attacker 95,428,956.7 seconds which is just over 3 years. Which based on averages, is actually 1.5 years, on average.

Now, lets make that 12 character password even stronger. Lets add in 26 more characters, the upper case ones. Now you have a strength of 52^12, and that will take 390,877,006,486.3 seconds, or just over 12,386 years (or half that, 6,193 years, on average.) As you can see, increasing the variety of each possible character makes the job for the attacker exponentially more difficult.

If you add in punctuation and numbers, lets call that 80 possible characters, then you have 80^12 divided by one billion is 68,719,476,736,000 seconds, or 2,177,588.9 years (again, half that, or 1,088,794 years, on average.)

So now that we've established that it is much better to have maximal variety in characters, now let's see what happens with length.

If I switch to 13 characters, instead of 12, and rework all the numbers, here's the results:
26^13 -> 78.6 years
52^13 -> 644,079.5 years
80^13 -> 174,207,105 years

So by adding one additional character, we went from 3 years to 78, from 12k years to 644k and from 2.1M years to 174M.

So here's your best approach: use a password manager, and have very long random passwords. If that is not possible, (say for your password manager password) then use as long of a quality password as you can remember, and then lengthen it somehow by using the repeat method. You don't HAVE to append at the end, you can do it anywhere... maybe you go with a password like My$trong..........$trong........Pass!word. (as ever, never use ANY password published online, as it's potentially now in a password lookup table.)
 
That's: an uppercase c, the numeral zero, lowercase d, lowercase e and ten periods.
So it's 14 characters containing uppercase, lowercase, digits and symbols.

I then used various password strength test pages.
The reported estimation of time-to-crack varies from 1 minute (Bitwarden) to 2 billion years (WhatIsMyIP.com). Thanks, I learned nothing!
Password checkers cannot measure the strength of a password. The best they can do is provide an indication of the of the potential strength of a password. That indication, however, depends on the criteria that a password checker uses. This criteria, in turn, will typically vary from checker to checker. Hence the strength "indication" will vary from checker to checker, leaving the user confused and learning little, as @mappo noted.

I have confidence in Steve Gibson's Haystack checker (cited by Barry Wallis, above). On that page Steve explains his reasoning and also what makes a password "strong".
 
I don't remember which it was, but some password checker I used must of had some sort of dictionary to allow it to predict dictionary attacks, and the sample password I used to see the strength meter was found to be instant as a result. Would not surprise me if that password checker I found would say the horse battery password was instant as well.

I had did that test within a year of Steve's Haystack page going live.
 
No, it was one that worked in a similar way as the Haystack page. I just remember somehow it detected my test password as weak even though it would strong in most normal password strength testers. I wasn't using a real password as I didn't trust the site to not send my data to be collected.