howsecureismypassword.com algorithm
https://stackoverflow.com/questions/12578851
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
There is a nice site http://www.howsecureismypassword.net/ which determines how long it will take to crack a password.
What I want is to implement feature like this, so I need an algorithm for that
Solution
Knowing the common password attack vectors will give you an idea of how you might go about calculating this. When we need a number, let's assume that a desktop computer can check 4 billion (4x109) passwords per second, which seems about right.
It's important to realize that an attacker is rarely attempting to crack just your password. Instead, they will have user ids for a large number of accounts, and they want to try to crack as many of them as possible. As such, it pays for them to invest most of the time in cracking the easy passwords, and not bothering with difficult passwords.
0. Really obvious attacks
Try entering the user id for the password. It's surprising how many people do this. Your password is crackable instantaneously.
1. Dictionary attacks
This is simple. The attacker just needs to keep a list of (say) the 106 most common passwords in use, and check each of them once. This can be done in well under a second. If your password is in the list of most common passwords, then it can probably be cracked nearly instantaneously.
2. Brute force
If your password isn't in a dictionary, then one other option is to use brute force. The time taken to crack a password using this method depends on (a) the length of the password, and (b) the symbol set that comprises the password. The general formula is
timeTaken = (sizeOfSymbolSet ^ passwordLength) / (4*10^9) # (seconds)
For example, if your password consists only of lowercase letters, then the size of the symbol set is 26. Here's a list of how long it might take to crack your password as a function of its length:
Length Time
4 0.1 millisecs
6 0.1 seconds
8 1 minute
10 10 hours
12 9 months
If you use all lowercase and uppercase letters, numbers and symbols then the symbol set is closer to 100. It takes correspondingly longer to crack your password:
Length Time
4 25 millisecs
6 4 minutes
8 28 days
10 800 years
12 8 million years
Don't get too complacent yet, though! The 8 million year figure assumes that you have a random selection of 12 letters, numbers and symbols as your password, i.e. your password is something like
t8Qkx#rxZAM@
%Kuc;p8WHmFU
xDE!XE$rLGh4
KJdx2K8BS33K
HTaeCc&t46L;
How many people have a password like that?
3. Combined methods
This relies on a combination of ingenuity and brute force. It's a mix between the first two methods, and relies on common "password conventions" rather than common passwords.
For example, many people have a password of the form "a dictionary word followed by a number". There are about 2x105 words in the Oxford English Dictionary, so to generate all combinations "dictionary word followed by number" is about 2 million different passwords, which can again be easily checked in under a second.
Other common tropes include replacing characters by similar-looking symbols- o with 0, l with 1, a with @ etc. Once you have a list of dictionary words, it is trivial to generate all of these replacements. At a guess, you might increase the length of the list by a factor of 1000, which is still checkable in around a second.
My guess is that the site uses a combination of some or all of these approached to work out how long it would take to crack your password.
OTHER TIPS
Well you never know: this got posted today:
The checking is done all in javascript.Code is available on github
From the How It Works page I get the impression the author knows what he's talking about. (You'll want to read it, the way he wrote his javascript implementation is interesting in it's own right)
Perhaps you can borrow some insights, or even code (forks are welcome, I didn't see a license beyond the copyright declaration).
No, since it depends on the hashing that's being used on the password. However, running quick dictionary attack, checking lenght, small/big letters, numbers and symbols and commonly used combinations of them (e.g. "123") can give you some perspective about how strong the password is.
