Those meters that rate password strength work, until they don't

Discussion in 'other security issues & news' started by lotuseclat79, Oct 9, 2013.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Those meters that rate password strength work, until they don't.

    -- Tom
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting study, but dictionary attacks anyone?
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Agreed. Words, phrases or quotes from books, songs, movies, popular culture stuff, whatever is known on the net and real world should be avoided for important data/accounts.
    Correcthorsebatterystaple should be something like less known Wrongdonkeygunnerypile. ;)
     
  4. Willmar

    Willmar Registered Member

    Joined:
    Oct 29, 2013
    Posts:
    10
    Try them both out on this checker
    http://www.geekwisdom.com/dyn/passwdmeter

    Then see what it takes to get up to 50
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I still don't trust these sites for passwords I would actually use. I assume someone out there is just looking for us to add all of them to their dictionary for them.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    You can download the script, pull the plug, and wipe the disk after using it. :D

    I just type the same length and type of characters in order.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Best password strength checker:
     
  8. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Password strength meters will give you a general idea about a password's strength or about its entropy, but they will not take into account the advanced methods used today for password cracking.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From How much entropy in that password?:
    Diceware gives real security.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Which of the following two passwords is stronger,
    more secure, and more difficult to crack?

    D0g.....................


    PrXyc.N(n4k77#L!eVdAfp9
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If PrXyc.N(n4k77#L!eVdAfp9 was generated by a random (or reasonably close to random) process, I'd much rather have PrXyc.N(n4k77#L!eVdAfp9 than D0g..................... , despite the fact that the latter password has one more character. It's true that a naive bruteforce enumeration would be expected on average to find PrXyc.N(n4k77#L!eVdAfp9 in less time than D0g..................... , but password cracking tools take advantage of patterns. Clearly you can see a pattern in D0g..................... . D0g..................... gives security only by obscurity, while PrXyc.N(n4k77#L!eVdAfp9 (assuming it was generated by a (near) random process) gives real security; see post #9. Steve Gibson is just plain wrong about this, IMHO.

    I recommend using Diceware for your master password(s). Use a password manager for your other passwords, protecting the password manager with a Diceware-generated master password of sufficient length. The Diceware FAQ has advice on generating random passwords for situations in which you can't enter a longer Diceware password.
     
    Last edited: Dec 23, 2013
  13. Phantoms

    Phantoms Registered Member

    Joined:
    Jan 15, 2009
    Posts:
    22
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Let's see what Passfault, a password strength measurement service that uses common patterns to ascertain password strength, says about these two passwords, using default options:

    PrXyc.N(n4k77#L!eVdAfp9 : Time To Crack: 4944050122782896 centuries :thumb:
    D0g..................... : Time To Crack: less than 1 day :argh:

    Don't take Passfault as gospel though either. I tested it with "doink the clown" and got 106 centuries to crack, but IMHO it's not a good password because it's a phrase that might be in a cracking dictionary.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From bad security advice: Steve Gibson's password haystacks:
    Another critic's view of the Haystack method: https://www.wilderssecurity.com/showpost.php?p=2320347&postcount=15.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Now let's try https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html:

    D0g..................... : 97.852 seconds
    PrXyc.N(n4k77#L!eVdAfp9 : 4.4964660849471965e+36 seconds
     
Loading...
Thread Status:
Not open for further replies.