Introduction
Everyone can agree, that to maintain online privacy and security, using Strong Passwords is crucial. What is a little harder to agree on, however, is what determines a strong password. Most sites will give some suggestions/requirements as to what a strong password should include, such as: having a minimum number of characters, including numbers, etc. (see Password Tips page for some more information), but can a password's strength be measured quantitatively?
The answer is yes, and no. Yes, we can come up with an algorithm, or set of parameters or criteria, that we can use to score a password's strength, but there is no universally accepted way to give a password a quantitative score; and each system used to score a password needs to make some decisions and trade-offs as to what to value more than others. This doesn't mean, however, that Password Strength measurements are of no use. A password strength score can help give you a general idea of how strong a password is, and can be used to give a relative evaluation of passwords. Bear in mind that just because a password has a high strength score, doesn't mean it can't be hacked or broken.
PWMinder Password Strength Evaluator
PWMinder Desktop includes a Password Evaluator, which gives a score, and strength value to your passwords. This can give you a general idea of how good your various passwords are.
In version 3.1.3, the method for determining the score was slightly adjusted, and the same method will be used in upcoming releases of PWMinder Android, and iPWMinder. The following is the algorithm/criteria used in the PWMinder Suite of products.
A password starts with a score of zero, then gets several additions and deductions, and ends up with a score out of 100.
Additions
- Score += (Password Length * 5)
- Score += (Number of Symbols * 3)
- Score += (Number of Unique Characters * 2)
- Score += (Number of Requirements1 met * 4)
- Password length >= 8
- Password contains at least one Uppercase Letter (A-Z)
- Password contains at least one Lowercase Letter (a-z)
- Password contains at least one Digit (0-9)
- Password contains at least one Symbol (i.e. not a Letter or a Digit)
Deductions
- If the Password is all Letters (case insensitive), then: Score -= (Password Length * 1)
- If the Password is all Digits, then: Score -= (Password length * 1)
- If the Password has repeated consecutive characters, then: Score -= (Number of repeated consecutive characters * 3)
- If the Password has consecutive character types (e.g. Uppercase, Lowercase, Digits, Symbols), then: Score -= (Number of consecutive characters types * 2)
- If the Password has sequential characters, then: Score -= (Number of sequential characters * 3)
Notes:
Repeated Consecutive Characters only starts counting after the first character, e.g. "111" has 2 repeated characters. If more than one group of repeated consecutive characters is found the number is cumulative, e.g. "11aa" is 2, "11aa11" is 3, "1111aa" is 4
Consecutive Characters Types only starts counting after the first character, e.g. "abc" has 2 consecutive lower case characters. If more than one group of consecutive characters is found, the number is cumulative, e.g. "aevgz+LNPQ" has 7 consecutive character types (4 lowercase and 3 uppercase).
Sequential Characters are only counted when there are 3 or more sequential characters, eg. "abcde"f is 4, "abc" is 1, "ab" and a are 0. If more than one group of sequential characters is found, the number is cumulative, e.g. "abcde+lmno" is 5. Sequential is case sensitive, i.e. "aBcD" is not considered as sequential.
Qualitative Score
PWMinder uses the following qualitative scoring system, based on the calculated score:
| Score | Value |
|---|---|
| 0-20 | Very Weak |
| 21-50 | Weak |
| 51-60 | Fair |
| 61-80 | Strong |
| 81-100 | Very Strong |
Examples
| Password | Score | Strength |
|---|---|---|
| abc | 15 | Very Weak |
| 3a$ | 36 | Weak |
| htsfg-G | 56 | Fair |
| ABC-12a3f | 77 | Strong |
| 123a$4aACz | 82 | Very Strong |
References
The password strength score calculations are adapted from the following:
