Have you ever typed in your password while logging into a page and it has that little password strength bar on it that fills up the more you type? How accurate is it? Can you even trust such a novel multi-colored doo-dad?
Why guess? I went to the trouble of getting together a spreadsheet that can definitively tell you exactly how secure you are using that password of yours. It can even give suggestions as to how to improve your password. Be warned, it’s not always pretty to see the honest truth.
Give it a try by clicking here
then click “Download”
(Updated 6/5/09)
- Added extended data validation to prevent accidental entry of erroneous data.
- Cleaned up the document to fix some grammatical errors
- Added a “Galactic Years” option that gives a better frame of reference for larger passwords.
- Additional tweaks and fixes to improve visibility and visual appeal.
(Updated 6/4/09)
Additionally I added a box at the bottom of the calculator that can be used to quickly and easily copy your score to any forum or blog you want. A solid password really is something to be proud of, show it off!
Additionally if you want to link to the calculator I have added a entry in my domain name for just such a purpose:
http://bruteforce.caedis.net
Link there if you plan to repost, don’t link directly to the file. (as I have been approached by several people already about this)
What is brute force?
Brute force attacks are when your password is guessed by blindly going from one password to the next without little or no reguard for what is being tried. Bascially doing the following:
- a
- aa
- ab
- abc
- abc1
- abc11
- abc12
- abc121
- abc122
As you can see it’s just adding more onto the guess until it gets it right.
This method is the only remaining method to get passwords in situations where the person hasn’t put any real words or significant dates or numbers into the password.
If the person does put words or significant combinations of numbers (like anniversaries or birthdates) then a dictionary attack is usually tried first as it is exponentially faster.
When multiple combinations of common words or combinations of words/numbers are checked. This is often done first as it can sometimes take SECONDS to crack a password this way. If you have a password such as “myDogSkip” the cracker will just have to combine “my” “dog” and “Skip” into the right order to get the password. When this is especially effective is when the person knows even a little about you. Many times this is done by simply asking a friend/co-worker off-hand about some trivial part of your life. Your dogs name? Your wife’s name? or even more easily by going to your Facebook or Myspace page and getting a few key words off it. Think of all the words you use on your profile pages, then think if ANY of them could be used in any way to get a password of yours. If the answer is anything but a strong “NO” then you probably need to re-evaluate what you have secured with that weak password. Which is worse? Identity theft, or an annoying password that’s hard to type in quickly?
UPDATE: 5Dec2011
The Security Now! Podcast released an episode and website to go along with the concepts I discussed here. For further reading and a web based entropy calculator check out the links below.
• 37 minute, high-quality, 64kbps MP3 audio file, 17.9 MB
• 37 minute, lower-quality, 16kbps MP3 audio file, 4.47 MB
Recent comments