He linked directly to this jpg file, while the graphic belongs to this article at CXO Europe. I usually find his tweets to be very interesting, as well as blog posts from the F-Secure team as well, so don't get me wrong here. Being a little obsessed with passwords after researching them for approximately 9 years, I had to take a look at this article. (Most articles on password strength and passwords in general are full of assumptions, a blend of information from various resources, and a bit of personal opinion from the author at the time of writing. At least that is what I think of them.)
The CXO article had tested a bunch of passwords against the password strength meter of Google Mail, which you can find when creating a new account (or changing your existing one). The graphic from CXO summarizes the strength of the passwords. Looking at that for <5 seconds was enough for me, i had to release this blog post which I've been thinking about for quite some time.
So without further ado, here's the graphic I've produced quickly (...), without being a graphics artist such as @ripetungi, the creator of the CXO graphic. I believe you'll get the idea anyway. I've used the same passwords as tested by CXO, ranked in the same order as their test. (click the picture for full size):
Password input field has a strength meter. For some reason it says "too short" with my tested passphrase after character number 18, while other passwords/phrases receives the "strong" verdict. Apparently the script from Gmail doesn't really like my passphrase. Oh, and Gmail using the word "unbreakable"... It does remind me of Larry Ellison from Oracle. You should probably find yourself another word to use. :-)
This checker has 4 levels: Weak, Medium, Strong, Best. Nothing advanced, as simple as it can be.
A service from the Swedish Post and Telecom Agency (PTS), this service uses Cracklib as the core of their password meter. It only has two levels, either Weak or Strong. In order to receive a Strong rating, the password must comply with all 6 requirements:
- contain lowercase letters
- contain UPPERCASE LETTERS
- contain digits (0-9)
- contain special characters (!"#¤%&...)
- at least 8 characters in length without digits
- must not be based on a word in their word list
Kudos for using open-source software for their testing, but i would say that using Cracklib for judging the strength of passwords is seriously overkill in many cases, and must be seen in context with online/offline attacks, as well as the use of crypto/hash algorithms and password salting.
Please also note that this service require you to submit the password to their server for analysis! But nobody would ever submit their own password for analysis, right? *wrong*
Seems to be a replica of the Microsoft test on first sight, but without the SSL security applied. Use Microsoft instead, if you must.
This service has 5 levels: Very Weak, Weak, Good, Strong & Very Strong, and a percentage score is also displayed for even more granularity. However the service doesn't seem to accept more than length 16, and anything higher gets a Very Weak 0% score. So much for my passphrase at length 25...
Kudos for having the source code available for download. Now if somebody could tweak it a little bit....
I chose to include the password meter capability of my favorite application for maintaining my own personal database of usernames and passwords (I've got close to a hundred of them...) Keepass measures the strengh in bits, I've marked the best (my passphrase) and the worst (11 bits) in the table. A color bar is also displayed in Keepass. My passphrase receives a perfect "green" rating (100%), while the second best (56 bits) receives approximately a 40-45% rating.
(7) My own passphrase
Now you can be the judge: is (or was) that a good password? Comments highly welcome!
These services all have defects in various ways, and they are obviously not on the same page on how to evaluate the strength of a password. Using online password checkers should be avoided, as it would be very easy to generate a service which will collect information about YOU as well as any information that you type in for testing. Such online services do of course tell you NOT to test a real password that you are using, but I'll bet that's exactly what most users will do.
If i were forced to choose one of the above, i would go for Keepass. With Keepass you have an excellent tool for generating, evaluating and securely storing your lists of various passwords - provided your master password is "secure" of course. For all of them there are lots of improvements that can and should be made ASAP.
Message to Mikko Hypponen: I don't mind you linking to both good and bad content on the Internet. With this CXO article I'm afraid some high-level folks might decide that this article will give them ideas for their next password - which is really a very bad idea.
Final note to CXO, Jodie Humphries and @ripetungi:
You made me laugh with your selected passwords for testing at Gmail, and Mikko's comment on ncc1701 was also worth a smile (Personally I'm a Star Wars fan, not much of a trekkie). May i suggest you to get Wargames and Sneakers on DVD, and buy Cliff Stoll's excellent book "The Cuckoo's Egg" for more hardcore geek passwords to test against Gmail? :-)
I think your password is great. I used a similar algorithm for mine for 1-2 years after a password-discussion you and I had 4 years ago. :-dReplyDelete
Password-security is very complex and it changes with the point of view. Your "family password" may be save against anonymous attacks, but may be very easyly leeked by people knowing you or even watching you while typing.ReplyDelete
Another important aspect of password security in my opinion is to have different passwords for different accounts, storing passwords securely and changing them periodically.
The biggest thread besides fishing in my opinion for passwords may be password reminders. If one can access your e-mail, she/he can access your related accounts.
I fully agree with "The-Dude" here, and blog posts are already in the works for the issues you mention.ReplyDelete
Thx for your reply, highly appreciated!
Did you seriously just post your password?ReplyDelete
No, i posted one of the passwords that I used up until i started writing this blog post.ReplyDelete
The previous version was
If you would like to know. :-)
Now, obviously, I will never ever use that or anything similar as my password again.
I took your list and sent it through htpasswd:ReplyDelete
Afterwards, I let John look at it. Even on my cheap netbook it immediately broke these passwords:
Loaded 37 password hashes with 37 different salts (Traditional DES [64/64 BS MMX])
For myself, I started using a password safe that I protected with a rather long password. The password safe file is stored in a crypto container file that I carry around on my USB stick. For every account I use a different 20-character random password. I know this is paranoid, but it's better than my former method of juggling around with dozens of passwords that are either easy to crack or easy to forget. A long random password has the additional advantage that I can use it openly without running a big risk of someone remembering it - and if he does, he has deserved it ;)
Thanks for your inspiring article!
Well, using john is of course an offline attack, where you have "unlimited" time to test billions of passwords against the found hashes.ReplyDelete
NIST (SP800-118) has one of the better ways of estimating the strength of a password; looking at entropy when doing an online attack.
Anyway; most of the listed passwords are weak in my opinion as well.
Thanks for your comment on my blog. This was very interesting might rewrite my post to include some of your pointsReplyDelete
And thank you Troy for your reply as well! Its not that password meters shouldn't be used, as they in many cases will give you an approximate of your password strength. You just shouldn't fully trust them. :-)ReplyDelete
The problem as I see it with these types of password meters, beside the obvious hacking potential, is that they seem to be a "one time thing", meaning a user visits the site, inputs their password and goes "great, my password is okay to use another four years". It basically doesn't put passwords in the context of security and whatever answer the meter returns will probably have little if any effect on the user.ReplyDelete
I do however believe that they are a valuable tool for sign-up processes. As a developer I have started enforcing only an eight character minimum for passwords, meaning a user can in fact register with the password 12345678. Next to the field though is a short description of the estimated strength of their password. Making people use good passwords/passphrases (let's not go into a discussion of what's good now :D) is near impossible, so as a web developer I think the only way is to enable users to make their own decision.
Wow, that was a long comment for an old post.. Summary: password meters are good for sign-up forms. Feel free to have a look at my own password meter at https://github.com/erikbrannstrom/jQuery-Password-Entropy :)
Password list for @jpgoldberg:ReplyDelete