Reputation:
Is there an existing algorithm in checking password strength? Or re-invent the wheel?
I've been thinking to develop an Android application which will tell the password strength of user-entered password.
In terms of checking password strength, I developed these 2 Algorithms to check it. But I'm having second thought using these Algorithms because I don't think it's efficient. What do you guys think?
Here is my 2 Algorithms:
Average Method
Sample input = Password12@
1. Count the lowercase, uppercase, digits and special characters in the given String.
Eg.
Lowercase count = 7;
Uppercase count = 1;
Digits count = 2;
SpecialCharacter count = 1;
2. Get the character count and multiply it to the size of given String.
Eg.
(Count * Size)
(7 * 10) = 70
(1 * 10) = 10
(2 * 10) = 20
(1 * 10) = 10
3. Add the following results
Eg.
70 + 10 + 20 + 10 = 110
4. Get the results which is the password strength.
Eg.
The password is 110% strong.
Points Method
Sample input = Password12@
1. Set the points such that for every:
Lowercase = 1 point given
Uppercase = 5 points given
Digits = 10 points given
Special Character = 15 points given
2. Count the lowercase, uppercase, digits and special characters in the given String.
Eg.
Lowercase count = 7;
Uppercase count = 1;
Digits count = 2;
SpecialCharacter count = 1;
3. Get the character count and add it to the given point and multiply the size of the given String.
Eg.
(Count + Point) * size
(7 + 1) * 10 = 80;
(1 + 5) * 10 = 60;
(2 + 10) * 10 = 120;
(1 + 15) * 10 = 160;
4. Add the following results and divide it to the size of given String and divide it by 4.
Eg.
//4 because count={uppercase, lowercase, digits, special character}
80 + 60 + 120 + 160 = 420
420 / 4 = 105
5. Get the result which is the pswword strength.
Eg.
The password strength is 105%.
My questions are:
Which algorithm showed that has a better implementation?
If the 2 given algorithms is inefficient, is there an existing algorithm that I can use to check the strength of the given password. Not like this, re-inventing the wheel.
Upvotes: 5
Views: 5166
Answers (2)
Reputation: 877
Both of your algorithms have some inherent issues when checking password strengths:
The first algorithm basically just counts the length of the password and multiply with 10. Using this algorithm the password "passwordpassword" would get a rating of 160%. Way too strong for such a simple password.
The second algorithm is a bit more complex and uses weights, based on the type of character. However using this algorithm, the password "1234" would get a rating of a 100%. I am sure this is not what you want.
A general rule of thumb is to test a password strength based on a list of rules, and then weight those rules (together with the number of rules actually enforced by the password):
- Password must be atleast 8 characters long (10 pts)
- Password must contain atleast a lowercase letter (5 pts)
- Password must contain atleast an uppercase letter (5 pts)
- Password must contain atleast a digit (5 pts)
- Password must contain atleast a symbol (10 pts)
- Password must contain atleast 5 unique characters (5 pts)
You could then add the rules enforced together and multiply that number with the number of rules enforced multiplied by a weight. E.g:
"1234" = (5) + 1*10 = 15
"password" = (5+5) + 2*10 = 30
"password1" = (5+5+5) + 3*10 = 45
"password1234" = (5+5+5+10) + 4*10 = 65
"Password1234" = (5+5+5+5+10) + 5*10 = 80
"Passw@rd1234" = (5+5+5+5+10+10) + 6*10 = 100
This is just a simple formulation of how the rule based approach work. Personally I would weight the number of rules used exponentionally instead, and have a wide variety of rules. Basically, the more rules satisfied, the more complex the password, the more secure it is.
Upvotes: 2
Reputation: 64
A link to open source password strength checker:
https://github.com/dropbox/zxcvbn
I didn't use it, just found it on google, check it out.
Your algorithms don't seem to get the job done well.
First one can be expressed as number of characters n^2, the kinds of character don't make a difference.
Second one is similar, it still doens't mean what kind of characters you input as the points only constitute a constant term in the equation: (d + 10) * 10 = d * 10 + 100 (for digits). It isn't better, it just shows a larger score.
Both algorithm produce a number that is roughly a square of the length of the password, while the time to break it (or strength) depends more on the exponent of length.
Check this article from coding horror: http://blog.codinghorror.com/your-password-is-too-damn-short/
Time to break a random password (from the article):
- 9 characters 2 minutes
- 10 characters 2 hours
- 11 characters 6 days
- 12 characters 1 year
- 13 characters 64 years
The random.org generator is "only" uppercase, lowercase, and number
Upvotes: 2
Related Questions
- Regex to validate password strength
- password strength checker python
- Checking the strength of a password (how to check conditions)
- Password Strength Meter
- Python program to determine whether a password meets all the requirements for a secure password
- Are there any known techniques to check strength of passwords stored in database?
- Password strength validation java
- Test the Strength of a Password in Python
- Password Strength Checking
- Standardizing of password strength algorithm