Using this password strength checker, you'll be able to test the strength of any password. The application was created with a purely educational purpose, in order to help you understand how to create a strong password. You'll be provided with real-time feedback about bad practices, and about how to improve the strength of the password. However, there is no official weighting system to assess the strength of any given password, so we're using multiple factors and custom formulas in our algorithm.
*All the processing is happening in your browser (coded in JavaScript) and no passwords are stored.
As mentioned before, there is no official weighting system to calculate the strength of a password. That’s why we decided to calculate the password strength by 4 different methods. What this password tool calculates exactly:
1. Password Complexity
The password complexity is calculated with a custom algorithm that takes into account many aspects like password length, type of characters used (lowercase, uppercase, numbers, symbols), repeated characters, sequential characters, etc. It displays 5 statuses “Very Weak, Weak, Good, Strong and Very Strong” and it’s correlated with the percentage progress bar.
2. Password Entropy
Password entropy it’s usually expressed in bits. The password entropy takes into consideration the maximum possible combinations between the character set used (lowercase, uppercase, numbers, symbols) and the length of the password. Basically, the longer the password, the higher the entropy. There are many online password meters out there using password entropy as the only strength factor. In practice, this is a very poor approach. For example, a 20 characters password like “11111111111111111111” which has 66.4 bits, will be considered stronger than “Vj7%mlA8!1” which has 65.7 bits... false.
3. Brute force calculator
We try to estimate the time needed to crack a password with brute force. A brute force attack is an equivalent of trying every possible combination until it finds the right password. There are many types of brute force attacks, but the success is usually based on computing power (how many combinations can be processed in a specific timeframe ). Brute force attacks are used mostly as a last resort, as they can be very time-consuming. In our formulas, we only take into account the maximum possible combinations between the charset used and password length.
4. Password Blacklist check
We check the password against a list with blacklisted passwords. These are passwords that were publicly exposed after a data breach or listed in different reports as the most used passwords. Stay away from passwords that have been blacklisted, these are the first passwords to be used in attacks.
In order to create a strong password, you need to understand first how the strength of a password is calculated and how it can be hacked. Basically, it is all reduced to the total possible combinations between the length of the password and the total characters of the used charset. So for example, if you have a password of 8 characters in length and you only use numbers (let's say 45379821), then the formula to calculate the total possible combinations is 10^8 = 100.000.000 total possible password combinations. It may seem a lot, but believe it or not, an average modern computer can process all these combinations (this is called a brute force attack) in about 1 minute. If we're talking about supercomputers or a botnet, then the time to crack it is reduced to a few milliseconds.
Formula variables:
8 - the length of the password
10 - the total of characters in the charset (in this case 0-9)
Now let's take again a password with 8 characters but this time we'll use numbers, lowercase, uppercase and symbols (Ha%bL-sq). We end up with a charset of 94 total characters.
94^8 = 6.0956894e+15 total combinations
For the same average pc, it would take now about 38 years to process all the combinations. A botnet though would probably manage to crack it in a few hours. Using a password with 8 characters isn't quite secure in any combination.
So, when it comes to creating a strong password:
1. Password length matters a lot. We recommend at least 12 characters.
2. Total charset used matters a lot (combination of letters, numbers, symbols)
3. Randomness matters
Why do we say randomness maters? You would probably think now that sticking a bunch of regular words into a longer password "tomatopotatosoup" is very secure. Well, it's not. These types of passwords can be easily cracked with another type of attack, called a dictionary attack. This takes us to the next point, what to avoid when creating your passwords.
1. Don’t use your personal data, especially your name, your children names, husband, wife, girlfriend etc. Also avoid using your (or their) date of birth, phone number, street address, car plate number, etc. This is because hackers can create a custom dictionary attack based on all your personal data, which is pretty easy to get from social media these days.
2. Don't use common dictionary words, even if it's a long word or a couple of words together. Again, you can be targeted with a dictionary attack.
3. Don't use sequential letters or numbers (1234567, abcdef) or keyboard patterns (qwerty).
4. Don't use the same password on all your accounts, at least for important ones.
5. Don't use uppercase letters or numbers only at the beginning or at the end of your password. This is a very common pattern.
6. Whatever you do, don't use a blacklisted password because it will be breached in a blink. Our application also checks your password against a password blacklist (passwords breached or exposed in public lists in recent years). For example, these are the 25 most used passwords in 2018.
So, when it comes to creating a strong password you have one of these 3 options:
1. Use a random password generator and create a password of at least 12 characters ( numbers, lowercase, uppercase, and symbols combined ). It is harder to remember, but it's the most secure.
2. Use a longer passphrase but include uppercase, numbers, and symbols. You could do some character replacements like this “myPa$$w0rd!s^longerThany0urs”. Many articles on the web advise just to slam together 3 random words, and that's it. Of course, it is easier to remember and faster to type, but 3 dictionary words in lowercase are much weak.
3. Use a password manager software. It can automatically create strong random passwords and easily manage them. There are plenty of choices here, you can either use a standalone password manager (list with some of the best password managers ), or you can choose an internet security suite with password manager included.
Now that you have a strong password, be sure to keep it for yourself :) .
