Many password testers are simply checking for password length and complexity - they don't take into account the likelihood that the password is a common password. Our password assessor checks for these to add an extra level of checking.
You are connected to the server via an encrypted SSL link, so no-one else sees your password and the passwords are not sent to the server as the password assessor handles the assessment via javascript on your computer, not on our server. However if you still don't trust me (and why should you?), the Assessor is written in html and javascript so if you prefer you can download it HERE and run on your own PC offline.
Password Assessment |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
1: General Assessment | The General assessment of the password is based on the length of the password, its complexity in terms of the size of the 'alphabet' used to create the password and whether it is in a list of 10,000 common passwords that are claimed to represent 98% of passwords in use (See note 5 for more details). It is not a guarantee of success as there is no such thing as complete security but I believe it goes closer than many simplistic password checkers. |
2: Password Length | The longer the password, the more secure it will be. Realistically 8 characters is a basic minimum if possible. If we assume that it is not a well-known password and checked first then the more characters it contains the greater the number of permutations possible for a given password 'alphabet'. If not a common password, a very long password will take longer to crack than a shorter password, arguably regardless of complexity. See HERE for an excellent online resource that discusses this in more technical terms. |
3: Password Complexity | Perhaps less important than password length, complexity or size of the 'alphabet' used to create the password is still important. The password 'alphabet' can include numbers (10), upper and lower case letters (26 each) and symbols (allow 34, although some websites will exclude certain control symbols used in programming languages). This is based on a standard qwerty keyboard - other keyboards will add different complexity to the password which I will not cover here, but the principles are the same. Depending upon the brute force attack, after the common passwords are checked, if the alphabet is as large as possible it will force a wouldbe password cracker to use the maximum number of variations for a given length of password. |
4: Speed of Cracking | This is a notional estimate for the time it would take to crack your password online, based on 200 guesses per second. Obviously, it assumes your server does not have any lockout features to protect multiple attempts and the number could vary considerably, but it is intended as an idea. If the password is protecting a PC in the possession of the wouldbe cracker then it is much quicker as the rate of guessing increases dramatically. See HERE for an idea of scale of the problem. |
5: Common Passwords | For years lists of common passwords have been circulating the internet. These range from stuff like Password to names and dates. Inevitably password crackers will use such lists first before a brute force attack in order to reduce the time needed considerably. I have incorporated a check into the password assessor using a list of Common Passwords. It claims to be more than 90% of passwords in use, a fact clearly unverifiable, but whatever the merits of the list, its very existence means that crackers will try to lists like this to break passwords, so I would not want to use one on the list. Would you? |
6: Password Padding | Most people can see that the use of the word Password as a password is not very safe. However, the crux of the problem is how to get strong and memorable passwords, when these two characteristics are often mutually exclusive. Password padding is a possible solution - consider the 2 passwords - 'Password!!!!' compared to '%3Wk8&la'. The first is easy to remember the second is not - also 1 password would take 20 million times longer to crack than the other, and it isn't the second one!. Read more about password padding. |