Your password(s) - how strong are they AND WHY...

The reason that many people use poor passwords is that they have no method of telling what is good or bad AND WHY! The latter is a critical factor in educating people about strong passwords - hence the logic below - feedback is very welcome because I have never seen this attempted anywhere - not even the WWW.

You will not be asked to enter your password! as that is obviously the last thing you or I would want. Instead you will be asked a series of questions about it from which you can simply calculate a numeric figure which approximates to its strength.

Please note that:

1. This method is not intended to be scientifically or mathematically 'correct' because it takes my judgement of what a hacker is going to try before they give up and switch to stealing the password rather than crack it. Also, most advice that goes into the maths of password ignores the fact that to make them memorable, people have to link them to something in the real world and therefore dictionaries of all sorts are in abundant use by hackers as their path of least resistance.
2. The method has had no formal rigour applied to it apart from that of peers and as such you make any judgements and take any and all risks based on your own knowledge, skill and common sense, not mine.

How to assess the strength of a password:

1. Firstly what is the variety of the characters used, score the following starting with a count of 0 for variety:
   • Add 2 if there is a lower case character - i.e. a-z
   • Add 1 if there is a Numeric character - i.e. 0-9 BUT NOT if the only one is a single digit at the start or end
   • Add 2 if there is an UPPER case character - i.e. A-Z BUT NOT if the only one is the first character of a word
   • Add 3 if there is a punctuation character - for examples see the keyboardS that you will use (may be more than 1!) for examples - normally the top row when Upper Cased for instance. Note that I have referred to these as punctuation but I am including what are often called 'special' characters.

   You now have a rough measure of the variety (or entropy) of your password, high is very good but anything less than 4 is poor, 5 is OK as long as your password is sufficiently complex. The maximum score is 8.

2. Now for the complexity of the characters in the password, start at the top of the list below and when you match what is said with the description you remove that part of the password and work with the rest FROM THE TOP AGAIN but not resetting the score to zero. Start with a count of 0 (for complexity):

   ---

   When there are no more characters left (you remove them after they match!) you can leave this list with the score for complexity. This list is trying to tell you what is good (high is GOOD) and bad about the different parts of your password and of course - how many of them there are - i.e. how many times do you come back to the top - MANY is GOOD, even if there are few high numbers.

   • Add 4 for any set of characters that could be at all related to the resource that the password secures or what it does or what most users will be thinking about at the prompt, not just their user name but what they could be doing instead of keying in that password - yes - drinking beer, getting a tan, party-related phrases etc. are all included!
   • Add 5 for any name OR PHRASE - place, person, animal, quotations, lyrics - especially if famous, popular, very common, trendy etc.
   • Add 7 for any word that is in the dictionary and in common use
   • Add 5 for any character repetition or similar sequence of characters that can be derived from the alphabet, keyboard (any direction) or other simple rule.
   • Add 8 for any of the top 4 items if the word / character string has only trivial transpositions - 5s to Ss, bs to 6s or Bs to 8s as one example or taking the first letters of each word of a phrase, lyric etc. as another.
   • Add 9 for any of the top 4 items if there are moderate but single complexity transpositions - removing vowels, first vowel for instance, reversal of characters etc.
   • Add 12 for any of the top 4 items if there are complex or multiple transpositions - i.e. 2 transpositions on 1 word or 2 different transpositions on different words.

     Don't forget with the above (and below) - REMOVE WHAT MATCHED (Word, name, character etc.) and go back to the top of this list

   • Add 6 for any numeric character left
   • Add 8 for any lower case character left
   • Add 9 for any UPPER case character left
   • Add 11 for any character left - by now you should be able to simply count them and multiply by 11 if you have got this far.

   Now add the length of the password to the score, divide by 5 and round the result - up or down.

   You now have a rough measure of the complexity of your password, very high is very good but 6 and below is poor. There is no maximum score but a password such as '9ebgreNcT,A' from above would score 12 on this measure - counting 4 for eBay plus 9 each for Green and Cat plus 6 for '9', 9 for 'A' and 11 for ',' making 48 + 11 for length gives 59 divided by 5 is 12.

   FYI 'Z4bvrlBA' would score 7 when rounded up, counting 4 for BA, 7 for bovril, 6 for '4' and 9 for 'Z' plus a length of 8 making a total of 34 before dividing by 5. Also FYI - 'beckham99' gives a score of 5, 'password1' gives 3.

   You can now make a judgement about how strong a password is by putting the last number into a calculator and then multiply it by itself as many times as the score you have for variety. So what I described as poor above was 6 for complexity which is multiplied by itself 4 times which is the 'poor' score for variety. 6 * 6 * 6 * 6 is 1296.

   ---

   
   

   Enter variety here (first score):
   Enter complexity here (last score):
   After keying in numbers click 'Calculate': This is safe - it doesn't even send the numbers you key in to the web!

   You can use the calculator to the right to do the arithmetic but the important thing is that you saw where the figures came from! You can see the effect of using different characters and that long words, names etc. don't really add to strength.

   In terms of bad and good strength scores:

   • 1,000 or less is very bad - 'beckham99' gives a score of 125 (5**3), 'password1' gives 27!!! (3**3).
   • Between 1,000 and 10,000 is simply from very bad to OK - 2,000 might be acceptable for no-risk sites and 5,000 for sites where someone could 'have fun' with your account but there should be no risk taken - remember that even on a bulletin board you can be sued for libel for instance!
   • 10,000 or above is OK for resources where you have little or nothing to lose and presumably hackers have little to gain (The level 2 example of 'Z4bvrlBA' gives 16,807 - 7**5 but if 'BA' was replaced by my '2 bottles of champage' example then 'Z4bvrl2boc' would be a serious 370,000 - 13**5 - i.e. no increase in variety but the '2boc' adds so much complexity because to the hacker it has no relationship to the site.
   • 100,000 would be reasonable where being compromised would cause little inconvenience and half an hour to remedy
   • 1 million (1,000,000) would be reasonable where being compromised would cause inconvenience and a few hours of effort to remedy. It may be difficult to get higher than this on some sites - typically because they don't allow punctuation characters. You may need to use 3 'unrelated' words rather than 2 to get his high or maybe add another unconnected upper or lower case character.
   • 10 million would be acceptable for small financial risks and significant inconvenience and time to remedy.
   • Over 100 million (8 zeros) would probably be adequate for serious financial risk as long as you were not targetted but in that situation the password would be stolen by other means. ('9ebgreNcT,A' is over 400m)

   It has to be stressed that mathematicians will not approve of the above method at all but the problem with presenting the topic in a 'pure' manner is that:

   1. Any 'simple' mathematical approach is totally flawed because the probability of using letters, words, names etc. dwarf any algorithm that simply looks at the character set (roughly equates to variety) and the number of characters used - on that basis 'Beckham1' would be as good a password as 'Z4bvrlMu'.
   2. When a classical rigorous approach is taken it loses any clarity whatsoever because authors with that understanding of the mathematics will expect their readers to have a deep understanding of that subject otherwise they would not be reading it. What I hope that readers will be able to at least understand the consequences of using words, names and phrases in common use etc. and the dramatic impact of variety.
   Just try the calculator with variety increased by 1 or 2 - a BIG difference! a simple addition of a 'disconnected' capital letter and number can do it...
   

   This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions

   Links and other information last validated on 7th August 2007. Please use the Contact us page to suggest any additions or revisions.