Those meters that rate password strength work, until they don't

Those meters that rate password strength work, until they don't.

-- Tom

 

Interesting study, but dictionary attacks anyone?

 

Agreed. Words, phrases or quotes from books, songs, movies, popular culture stuff, whatever is known on the net and real world should be avoided for important data/accounts.
Correcthorsebatterystaple should be something like less known Wrongdonkeygunnerypile.

 

Try them both out on this checker
http://www.geekwisdom.com/dyn/passwdmeter

Then see what it takes to get up to 50

 

I still don't trust these sites for passwords I would actually use. I assume someone out there is just looking for us to add all of them to their dictionary for them.

 

You can download the script, pull the plug, and wipe the disk after using it.

I just type the same length and type of characters in order.

 

From Best password strength checker:

 

Password strength meters will give you a general idea about a password's strength or about its entropy, but they will not take into account the advanced methods used today for password cracking.

 

From How much entropy in that password?:

Diceware gives real security.

 

Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g.....................


PrXyc.N(n4k77#L!eVdAfp9

 

https://www.grc.com/haystack.htm

 

If PrXyc.N(n4k77#L!eVdAfp9 was generated by a random (or reasonably close to random) process, I'd much rather have PrXyc.N(n4k77#L!eVdAfp9 than D0g..................... , despite the fact that the latter password has one more character. It's true that a naive bruteforce enumeration would be expected on average to find PrXyc.N(n4k77#L!eVdAfp9 in less time than D0g..................... , but password cracking tools take advantage of patterns. Clearly you can see a pattern in D0g..................... . D0g..................... gives security only by obscurity, while PrXyc.N(n4k77#L!eVdAfp9 (assuming it was generated by a (near) random process) gives real security; see post #9. Steve Gibson is just plain wrong about this, IMHO.

I recommend using Diceware for your master password(s). Use a password manager for your other passwords, protecting the password manager with a Diceware-generated master password of sufficient length. The Diceware FAQ has advice on generating random passwords for situations in which you can't enter a longer Diceware password.

 

What is a strong password?

 

Let's see what Passfault, a password strength measurement service that uses common patterns to ascertain password strength, says about these two passwords, using default options:

PrXyc.N(n4k77#L!eVdAfp9 : Time To Crack: 4944050122782896 centuries
D0g..................... : Time To Crack: less than 1 day

Don't take Passfault as gospel though either. I tested it with "doink the clown" and got 106 centuries to crack, but IMHO it's not a good password because it's a phrase that might be in a cracking dictionary.

 

From bad security advice: Steve Gibson's password haystacks:

Another critic's view of the Haystack method: https://www.wilderssecurity.com/showpost.php?p=2320347&postcount=15.

 

Now let's try https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html:

D0g..................... : 97.852 seconds
PrXyc.N(n4k77#L!eVdAfp9 : 4.4964660849471965e+36 seconds