Why Password Strength Meters are Not So Great After All

Password strength meters come in all shapes and sizes. They typically enforce limitations on what can be accepted as a password with a set of rules which usually take shape as follows:

  • Minimum Length
  • Mixed case
  • Not many repeated characters
  • Includes letters, numbers, and symbols
  • Is not a keyboard walk
  • etc.

Obviously, a good password will likely follow these rules, however saying that password meters are good (or bad) is a bit simplistic. Essentially a password meter application is by nature, totally arbitrary and generic; it measures is the effort of breaking your password, using whichever arbitrary generic strategy that its author decided were important for a strong password to possess.

While initially designed in the efforts to reduce the risks of social engineering or dictionary attacks (such as banning the use a simple passwords such as “guest“, “password“, “robert” ,etc.), password-strength rules usually provide no such protection. Here is why:

  • They rarely encourage randomness. Rather, passwords such as “password” become permutations of “P@ssw0rd” and so on, all of whose variations are also present in dictionary tables.
  • Enforcing pattern rules essentially reduces the randomness (i.e. entropy) of the password by limiting the number of possibilities.
  • Enforcing pattern rules essentially divulges information to a potential attacker about the passwords which are stored within the target information system. For example, enforcing at least one upper case and one symbol eliminates a staggeringly large set of possible password combinations that a potential attacker can prune from any brute force attack.
  • Password meters cannot truly attest to the entropy of a given password it is evaluating as input. They can very easily mistakenly accept a really weak password as strong simply by the user “gaming” its rules until their “initial bad password” fits; if an attacker who is intent on breaking your password knows the password meter’s set of rules, they can very easily crack a password accepted as “strong” by a generic password meter.

The correct approach to the question of a password’s strength is one focused entirely on its entropy. This means the only factor which can be accurately used to determine whether a given password is strong or weak, is to evaluate the process by which the password was generated. A correct entropy computation (i.e. an evaluation of a password’s strength) does not care at all about the actual password value, but rather the number of possible passwords, and the degree of randomness which can arise from the password selection method which was employed.

In practice, the process which yields the “most difficult to guess” passwords use the following guidelines over its components:

  • Aspects to maximize:
    • The size of the character or word pool used – this includes all variations of upper and lower cases, symbols, numbers, etc, while it excludes all specified disallowed symbols
    • The length of the password or number of words in the passphrase
    • The delimiter possibilities (and the delimiter length) used in the passphrase
    • The degree of randomness, and cyrptographic strength of the pseudo-random number generator (PRNG) used, and the use of an even probabilistic distribution of possible outcomes.
  • Aspects to minimize:
    • The forced minimums imposed on the passwords (for example if at least one symbol is required, etc.)

A process which ensure the “strongest” password is one which satisfies these conditions as much a possible.