He linked directly to this jpg file, while the graphic belongs to this article at CXO Europe. I usually find his tweets to be very interesting, as well as blog posts from the F-Secure team as well, so don't get me wrong here. Being a little obsessed with passwords after researching them for approximately 9 years, I had to take a look at this article. (Most articles on password strength and passwords in general are full of assumptions, a blend of information from various resources, and a bit of personal opinion from the author at the time of writing. At least that is what I think of them.)
The CXO article had tested a bunch of passwords against the password strength meter of Google Mail, which you can find when creating a new account (or changing your existing one). The graphic from CXO summarizes the strength of the passwords. Looking at that for <5 seconds was enough for me, i had to release this blog post which I've been thinking about for quite some time.
So without further ado, here's the graphic I've produced quickly (...), without being a graphics artist such as @ripetungi, the creator of the CXO graphic. I believe you'll get the idea anyway. I've used the same passwords as tested by CXO, ranked in the same order as their test. (click the picture for full size):
Password input field has a strength meter. For some reason it says "too short" with my tested passphrase after character number 18, while other passwords/phrases receives the "strong" verdict. Apparently the script from Gmail doesn't really like my passphrase. Oh, and Gmail using the word "unbreakable"... It does remind me of Larry Ellison from Oracle. You should probably find yourself another word to use. :-)
This checker has 4 levels: Weak, Medium, Strong, Best. Nothing advanced, as simple as it can be.
A service from the Swedish Post and Telecom Agency (PTS), this service uses Cracklib as the core of their password meter. It only has two levels, either Weak or Strong. In order to receive a Strong rating, the password must comply with all 6 requirements:
- contain lowercase letters
- contain UPPERCASE LETTERS
- contain digits (0-9)
- contain special characters (!"#¤%&...)
- at least 8 characters in length without digits
- must not be based on a word in their word list
Kudos for using open-source software for their testing, but i would say that using Cracklib for judging the strength of passwords is seriously overkill in many cases, and must be seen in context with online/offline attacks, as well as the use of crypto/hash algorithms and password salting.
Please also note that this service require you to submit the password to their server for analysis! But nobody would ever submit their own password for analysis, right? *wrong*
Seems to be a replica of the Microsoft test on first sight, but without the SSL security applied. Use Microsoft instead, if you must.
This service has 5 levels: Very Weak, Weak, Good, Strong & Very Strong, and a percentage score is also displayed for even more granularity. However the service doesn't seem to accept more than length 16, and anything higher gets a Very Weak 0% score. So much for my passphrase at length 25...
Kudos for having the source code available for download. Now if somebody could tweak it a little bit....
I chose to include the password meter capability of my favorite application for maintaining my own personal database of usernames and passwords (I've got close to a hundred of them...) Keepass measures the strengh in bits, I've marked the best (my passphrase) and the worst (11 bits) in the table. A color bar is also displayed in Keepass. My passphrase receives a perfect "green" rating (100%), while the second best (56 bits) receives approximately a 40-45% rating.
(7) My own passphrase
Now you can be the judge: is (or was) that a good password? Comments highly welcome!
These services all have defects in various ways, and they are obviously not on the same page on how to evaluate the strength of a password. Using online password checkers should be avoided, as it would be very easy to generate a service which will collect information about YOU as well as any information that you type in for testing. Such online services do of course tell you NOT to test a real password that you are using, but I'll bet that's exactly what most users will do.
If i were forced to choose one of the above, i would go for Keepass. With Keepass you have an excellent tool for generating, evaluating and securely storing your lists of various passwords - provided your master password is "secure" of course. For all of them there are lots of improvements that can and should be made ASAP.
Message to Mikko Hypponen: I don't mind you linking to both good and bad content on the Internet. With this CXO article I'm afraid some high-level folks might decide that this article will give them ideas for their next password - which is really a very bad idea.
Final note to CXO, Jodie Humphries and @ripetungi:
You made me laugh with your selected passwords for testing at Gmail, and Mikko's comment on ncc1701 was also worth a smile (Personally I'm a Star Wars fan, not much of a trekkie). May i suggest you to get Wargames and Sneakers on DVD, and buy Cliff Stoll's excellent book "The Cuckoo's Egg" for more hardcore geek passwords to test against Gmail? :-)