The CXO article had tested a bunch of passwords against the password strength meter of Google Mail, which you can find when creating a new account (or changing your existing one). The graphic from CXO summarizes the strength of the passwords. Looking at that for <5 seconds was enough for me, i had to release this blog post which I've been thinking about for quite some time.
So without further ado, here's the graphic I've produced quickly (...), without being a graphics artist such as @ripetungi, the creator of the CXO graphic. I believe you'll get the idea anyway. I've used the same passwords as tested by CXO, ranked in the same order as their test. (click the picture for full size):
(1) http://gmail.com/
Password input field has a strength meter. For some reason it says "too short" with my tested passphrase after character number 18, while other passwords/phrases receives the "strong" verdict. Apparently the script from Gmail doesn't really like my passphrase. Oh, and Gmail using the word "unbreakable"... It does remind me of Larry Ellison from Oracle. You should probably find yourself another word to use. :-)
(2) https://www.microsoft.com/protect/fraud/passwords/checker.aspx
This checker has 4 levels: Weak, Medium, Strong, Best. Nothing advanced, as simple as it can be.
(3) https://www.testalosenord.se/
A service from the Swedish Post and Telecom Agency (PTS), this service uses Cracklib as the core of their password meter. It only has two levels, either Weak or Strong. In order to receive a Strong rating, the password must comply with all 6 requirements:
- contain lowercase letters
- contain UPPERCASE LETTERS
- contain digits (0-9)
- contain special characters (!"#¤%&...)
- at least 8 characters in length without digits
- must not be based on a word in their word list
Kudos for using open-source software for their testing, but i would say that using Cracklib for judging the strength of passwords is seriously overkill in many cases, and must be seen in context with online/offline attacks, as well as the use of crypto/hash algorithms and password salting.
Please also note that this service require you to submit the password to their server for analysis! But nobody would ever submit their own password for analysis, right? *wrong*
(4) http://www.testyourpassword.com/
Seems to be a replica of the Microsoft test on first sight, but without the SSL security applied. Use Microsoft instead, if you must.
(5) http://www.passwordmeter.com/
This service has 5 levels: Very Weak, Weak, Good, Strong & Very Strong, and a percentage score is also displayed for even more granularity. However the service doesn't seem to accept more than length 16, and anything higher gets a Very Weak 0% score. So much for my passphrase at length 25...
Kudos for having the source code available for download. Now if somebody could tweak it a little bit....
(6) http://keepass.info/
I chose to include the password meter capability of my favorite application for maintaining my own personal database of usernames and passwords (I've got close to a hundred of them...) Keepass measures the strengh in bits, I've marked the best (my passphrase) and the worst (11 bits) in the table. A color bar is also displayed in Keepass. My passphrase receives a perfect "green" rating (100%), while the second best (56 bits) receives approximately a 40-45% rating.
(7) My own passphrase
Now you can be the judge: is (or was) that a good password? Comments highly welcome!
To summarize:
These services all have defects in various ways, and they are obviously not on the same page on how to evaluate the strength of a password. Using online password checkers should be avoided, as it would be very easy to generate a service which will collect information about YOU as well as any information that you type in for testing. Such online services do of course tell you NOT to test a real password that you are using, but I'll bet that's exactly what most users will do.
If i were forced to choose one of the above, i would go for Keepass. With Keepass you have an excellent tool for generating, evaluating and securely storing your lists of various passwords - provided your master password is "secure" of course. For all of them there are lots of improvements that can and should be made ASAP.
Message to Mikko Hypponen: I don't mind you linking to both good and bad content on the Internet. With this CXO article I'm afraid some high-level folks might decide that this article will give them ideas for their next password - which is really a very bad idea.
--
Final note to CXO, Jodie Humphries and @ripetungi:
You made me laugh with your selected passwords for testing at Gmail, and Mikko's comment on ncc1701 was also worth a smile (Personally I'm a Star Wars fan, not much of a trekkie). May i suggest you to get Wargames and Sneakers on DVD, and buy Cliff Stoll's excellent book "The Cuckoo's Egg" for more hardcore geek passwords to test against Gmail? :-)
I think your password is great. I used a similar algorithm for mine for 1-2 years after a password-discussion you and I had 4 years ago. :-d
ReplyDeletePassword-security is very complex and it changes with the point of view. Your "family password" may be save against anonymous attacks, but may be very easyly leeked by people knowing you or even watching you while typing.
ReplyDeleteAnother important aspect of password security in my opinion is to have different passwords for different accounts, storing passwords securely and changing them periodically.
The biggest thread besides fishing in my opinion for passwords may be password reminders. If one can access your e-mail, she/he can access your related accounts.
I fully agree with "The-Dude" here, and blog posts are already in the works for the issues you mention.
ReplyDeleteThx for your reply, highly appreciated!
Did you seriously just post your password?
ReplyDeleteNo, i posted one of the passwords that I used up until i started writing this blog post.
ReplyDeleteThe previous version was
Lisbeth&Amalie&PerØyvind!
If you would like to know. :-)
Now, obviously, I will never ever use that or anything similar as my password again.
I took your list and sent it through htpasswd:
ReplyDeleteuser1:BuB/WV8kSu.FY
user2:JpN2z9ycU21/A
user3:2piKkLOQFtskM
user4:KsDI6JmK2gpcI
user5:0AJE9VhMaUQow
user6:8kSmpBlk2ufkw
user7:j2.F/ElOYmDK.
user8:FH9Sq/deBuCUg
user9:Kec6iCof0RQME
user10:08dU385S91NHo
user11:u4pVdEsaLAtN.
user12:/ot50MvvlYY0E
user13:TIfb.Of41X1RY
user14:KHGfUuzeb2/Xk
user15:yCsUeqwK5Ps62
user16:NnykzFwbN9h4.
user17:W6G0Gb54wGWzA
user18:wFLBAPm9ylAZM
user19:i/jxQlVsWp3rk
user20:2Ymawd1DcE0cg
user21:5oIlUIEwnSptc
user22:CKfg.MEG3tTJI
user23:cV50xSZCOpyiI
user24:aUnaRfbpgud3Q
user25:/7BmjjDeqypVE
user26:wgBh0zbZe3HFw
user27:rBa4wadm.ZbwQ
user28:o5O3gDx2sUpGQ
user29:UvncgJtdWiWs2
user30:1kSYgMAbfQdsQ
user31:s9aCFM0vIdFCw
user32:eIHI/5LXNZLTg
user33:lQw8iujLX9IUI
user34:fmiBRm1NVJE5c
user35:JaJCRN/KXfMWg
user36:3ZRwflCiReE.2
user37:zHIlUV578E7Vo
Afterwards, I let John look at it. Even on my cheap netbook it immediately broke these passwords:
Loaded 37 password hashes with 37 different salts (Traditional DES [64/64 BS MMX])
letmein (user30)
snoopy (user19)
michael (user18)
123456 (user34)
abc123 (user16)
dragon (user21)
password (user36)
money (user22)
diamond (user28)
secret (user31)
qwerty (user27)
monkey (user24)
iloveyou (user20)
football (user32)
master (user35)
thx1138 (user9)
ncc1701 (user5)
access (user33)
princess (user23)
flipper (user11)
dreams (user15)
business (user14)
pass (user29)
121212 (user25)
For myself, I started using a password safe that I protected with a rather long password. The password safe file is stored in a crypto container file that I carry around on my USB stick. For every account I use a different 20-character random password. I know this is paranoid, but it's better than my former method of juggling around with dozens of passwords that are either easy to crack or easy to forget. A long random password has the additional advantage that I can use it openly without running a big risk of someone remembering it - and if he does, he has deserved it ;)
Thanks for your inspiring article!
Well, using john is of course an offline attack, where you have "unlimited" time to test billions of passwords against the found hashes.
ReplyDeleteNIST (SP800-118) has one of the better ways of estimating the strength of a password; looking at entropy when doing an online attack.
Anyway; most of the listed passwords are weak in my opinion as well.
Thanks for your comment on my blog. This was very interesting might rewrite my post to include some of your points
ReplyDeleteAnd thank you Troy for your reply as well! Its not that password meters shouldn't be used, as they in many cases will give you an approximate of your password strength. You just shouldn't fully trust them. :-)
ReplyDeleteThe problem as I see it with these types of password meters, beside the obvious hacking potential, is that they seem to be a "one time thing", meaning a user visits the site, inputs their password and goes "great, my password is okay to use another four years". It basically doesn't put passwords in the context of security and whatever answer the meter returns will probably have little if any effect on the user.
ReplyDeleteI do however believe that they are a valuable tool for sign-up processes. As a developer I have started enforcing only an eight character minimum for passwords, meaning a user can in fact register with the password 12345678. Next to the field though is a short description of the estimated strength of their password. Making people use good passwords/passphrases (let's not go into a discussion of what's good now :D) is near impossible, so as a web developer I think the only way is to enable users to make their own decision.
Wow, that was a long comment for an old post.. Summary: password meters are good for sign-up forms. Feel free to have a look at my own password meter at https://github.com/erikbrannstrom/jQuery-Password-Entropy :)
Password list for @jpgoldberg:
ReplyDeleteg01111001110011101100e
011235813213455134
deathknight55
algoreisright
ncc1701
starrynight
enzoferrari
ggekko
thx1138
babygirl
flipper
goodmorning
ihatemylife
business
dreams
abc123
rockstar
michael
snoopy
iloveu
dragon
money
princess
monkey
121212
biteme
qwerty
diamond
pass
letmein
secret
football
access
123456
master
password
Lisbeth&Amalie&PerØyvind»