Top Nav

How to Check the Strength of Your Passwords

Password Strength Checkers

We’ve talked about creating strong passwords in multiple groovy posts [1][2][3], but we’ve never given you a way to actually test them. There are several free internet tools that offer a localized password strength test and operate in any modern web browser. Most of these tools use common cryptography algorithms to determine the likelihood of a password cracker generating an exact match for an encrypted password’s translated MD5.

Despite that many online password tools will say that they do not transmit any of the data you type back to their servers, I strongly suggest that you don’t use your exact real password in any online tester.

What is Password Entropy?

Entropy is the level of unpredictability that the password has, or in other words, if a password has a higher level of entropy that means it has a higher chance of being something that will never be guessed.

To understand the basics of how long a password would take to crack vs. its amount of entropy there is a very simplified formula to follow. Please note that this is very, very simplified and anyone in the cryptography field is likely shaking their head at this, but here it goes:

  • 2^(the level of entropy) = number of guesses needed to crack
  • Any average Joe can install password-cracker software and do about 1000 guesses per second.
  • Divide # of guesses needed by guesses-per-second and you have the seconds of time needed to crack the password, just divide according to days/hours/minutes.
  • However, if we speed that up to crazy supercomputer levels (like this guy who built a 25-GPU machine that can do 350 billion guesses per second) it becomes a lot quicker. But, the guess rate is significantly slowed down depending upon which encryption algorithm is used. The typical website uses SHA1, which a super computer could crack at a rate of 63 billion guesses per second.

Keep in mind that while these passwords are stored on a webserver they are usually protected by a maximum number of password attempts over a certain amount of time. But, if the website ever gets hacked then its password hashes can be easily ran through any offline cracking system that the hackers have set up.

    Rumkin

    Of the available tools, Rumkin’s strength test is my favorite. It’s just a simple box, and when you type in the password it will tell you its strength, the character set, and its level of entropy.

    rumkin screenshot

    For example:

    • “tr0G0d4r” = 35.5 bits of entropy

    35.5 bits of entropy = 398 days for the average Joe to crack, but only 0.5 seconds for a supercomputer to break. That translates to less than a minute for almost any cracking expert out there to break in!

    • “mygmailpassword” = 58.9 bits of entropy

    58.9 bits of entropy = 18,267,344 years for the average Joe password crack to break. Or on a supercomputer about 105 days, in theory.

    • “i have a very strong password” = 107.4 bits of entropy

    107.4 bits of entropy = 5,141,800,300,000,000,000 millennia for the average Joe password cracker to break. On a supercomputer it would take 81,615,877,245 millennia to crack. It is highly unlikely it will ever be cracked unless your password is singled out and targeted by multiple systems.

    Other sites that can test your password strength

    More Reading:

    ,

    3 Responses to How to Check the Strength of Your Passwords

    1. Simon H April 22, 2013 at 10:06 am #

      Rumkin looks useful for checking strength against a pure brute force attack and the information warns against using common or repetitive passwords / phrases but passwordpasswordpasswordpassword is classed as very strong 128.7 bits with no warning of it being repetitive.

      Thequickbrownfoxjumpsoverthelazydog 165.4 bits with no warning that it’s a common phrase.

      qwertyuiop was considered reasonable with 37.3 bits and no warning of it been a common password.

      Not dissing Rumkin, I just thought I would point this out as these are passwords I have seen people using, qwertyuiop on more than one occasion.

    2. currency strength meter September 11, 2013 at 12:45 am #

      Hey very cool website!! Man .. Beautiful .. Wonderful .. I will bookmark your website and take the feeds additionally?I’m satisfied to search out numerous useful info right here in the put up, we need develop extra strategies on this regard, thank you for sharing. . . . . .

    3. Robb S. June 17, 2014 at 1:29 pm #

      The real problem with all of these PW strength testers is they all assume a brute force attack, with some adding on variables for a dictionary attack. Whoever, sophisticated crackers usually incorporate multiple cracking tools such as rainbow tables, cryptanalysis, and hybrid attack tools, to help speed up the cracking process. The only real method of creating a strong password is using a long Pass Phrase – stringing three or more words together based upon something only the end-user knows

    Leave a Reply