Password Strength Considerations
May 19, 2011
Recently, I was looking at creating strong passwords and looked at various online tools to determine the strength of my password. However, the same password would be rated differently by each tool. This led me to think that everyone has their own standard of how strong a password is. Following the same train of thought, I decided to create my own (yes, yet another) set of criteria for judging how strong a password is. But my approach is a bit different. Instead of saying a password is secure or weak, I ask a set of questions and you rate your password based on these questions. If your password gets higher rates for most questions, your password may be more secure than if it rated higher on few questions or rated low on most questions. Did that make any sense? Anyways, following are the questions.
What is the length of the password? e.g. in “mypassword” the answer is 10. The longer a password, the better it is because it would take longer to break a password of length 15 than a password of length 5.
How many different characters did they use? e.g. in “mypassword” the answer is 9. The more characters you can throw into your password, the bigger the domain of possibilities for someone to break your password.
How many times did they use the same character in sequence? e.g. in “mypassword” the answer is 1 because only ‘ss’ was used. If you use the characters in sequence many times, it makes your password weaker. So the less sequences there are in your password, the stronger it is.
What characters did they use in sequence? e.g. in “mypassword” the answer is ‘s’. This question could be helpful to choose a better character to use in sequence (if you really need to use a sequence).
How many characters did they use in sequence? e.g. in “mypassword” the answer is 1 because only ‘s’ was used. So you have sequences in your password. But if the same character is used in all sequences, it makes your password weaker. Similarly, if there are sequences but each sequence has a different character, it’s still better than having the same character used in all sequences.
What’s the ratio of non-sequence characters to sequence characters? This ratio should be high for a more secure password.
What percentage of the password were the sequence characters? The higher the percentage, the weaker the password.
How many times did you alternate between alphabetical characters, numerical characters, and punctuation/other characters? e.g. in “mypassword” the answer is zero because only alphabetical characters were used. e.g. in “myp@ssw0rd” the answer is 4 because “myp@” is one alternation, “@ssw” is second, “ssw0” is third, “0rd” is fourth.
How many times did you use upper and lower case characters (if applicable)? The more variety in characters of upper- and lower-case the more secure the password.
What’s the distribution of upper and lower case characters? e.g. in “myPassWOrd”, there are 7 lower case and 3 upper case characters. Should the distribution be closer to 50% for each?
How many different languages were used for the alphabetical characters? e.g. in “mypassword” only one language (English) was used. If your application allows Unicode characters, use a variety of characters from different languages.
These were a few questions that came to my mind. Do you have any to add?