howsecureismypassword.com algorithm

Asked 25/9, 2012 at 8:19 Answered 25/9, 2012 at 22:56

There is a nice site http://www.howsecureismypassword.net/ which determines how long it will take to crack a password.

What I want is to implement feature like this, so I need an algorithm for that

Bozarth answered 25/9, 2012 at 8:19 Comment(1)

The algorithms used on that site have now (as of Jan 2015) been released as a JavaScript library that can be used on your own site: github.com/howsecureismypassword/hsimp – Tubular 27/10, 2015 at 0:36

Knowing the common password attack vectors will give you an idea of how you might go about calculating this. When we need a number, let's assume that a desktop computer can check 4 billion (4x10⁹) passwords per second, which seems about right.

It's important to realize that an attacker is rarely attempting to crack just your password. Instead, they will have user ids for a large number of accounts, and they want to try to crack as many of them as possible. As such, it pays for them to invest most of the time in cracking the easy passwords, and not bothering with difficult passwords.

0. Really obvious attacks

Try entering the user id for the password. It's surprising how many people do this. Your password is crackable instantaneously.

1. Dictionary attacks

This is simple. The attacker just needs to keep a list of (say) the 10⁶ most common passwords in use, and check each of them once. This can be done in well under a second. If your password is in the list of most common passwords, then it can probably be cracked nearly instantaneously.

2. Brute force

If your password isn't in a dictionary, then one other option is to use brute force. The time taken to crack a password using this method depends on (a) the length of the password, and (b) the symbol set that comprises the password. The general formula is

timeTaken = (sizeOfSymbolSet ^ passwordLength) / (4*10^9)  # (seconds)

For example, if your password consists only of lowercase letters, then the size of the symbol set is 26. Here's a list of how long it might take to crack your password as a function of its length:

Length Time
     4   0.1 millisecs
     6   0.1 seconds
     8   1 minute
    10   10 hours
    12   9 months

If you use all lowercase and uppercase letters, numbers and symbols then the symbol set is closer to 100. It takes correspondingly longer to crack your password:

Length Time
     4   25 millisecs
     6   4 minutes
     8   28 days
    10   800 years
    12   8 million years

Don't get too complacent yet, though! The 8 million year figure assumes that you have a random selection of 12 letters, numbers and symbols as your password, i.e. your password is something like

t8Qkx#rxZAM@
%Kuc;p8WHmFU
xDE!XE$rLGh4
KJdx2K8BS33K
HTaeCc&t46L;

How many people have a password like that?

3. Combined methods

This relies on a combination of ingenuity and brute force. It's a mix between the first two methods, and relies on common "password conventions" rather than common passwords.

For example, many people have a password of the form "a dictionary word followed by a number". There are about 2x10⁵ words in the Oxford English Dictionary, so to generate all combinations "dictionary word followed by number" is about 2 million different passwords, which can again be easily checked in under a second.

Other common tropes include replacing characters by similar-looking symbols- o with 0, l with 1, a with @ etc. Once you have a list of dictionary words, it is trivial to generate all of these replacements. At a guess, you might increase the length of the list by a factor of 1000, which is still checkable in around a second.

My guess is that the site uses a combination of some or all of these approached to work out how long it would take to crack your password.

Budd answered 25/9, 2012 at 8:49 Comment(3)

Where is the constant (4*10^9) taken from? What kind of algorithms/hardware does it assume? When was this figure current? – Elson 25/9, 2012 at 10:46

@Elson A combination of a few google searches and the wikipedia article linked in my answer. It assumes checking on a single desktop computer using a GPU. For the purposes of this answer the actual number doesn't matter as long as it's the right order of magnitude (i.e. not off by more than a factor of 100 in either direction). – Budd 25/9, 2012 at 10:55

+1. Also remember that those "time to crack" estimates assume that your password is the very last one to be checked. With a bit of bad luck, your password could be toward the beginning of the list of combinations to be tried, and those times could end up being much shorter. – Spurge 18/2, 2015 at 17:24

Well you never know: this got posted today:

http://www.leebutterman.com/passphrase-safety/

The checking is done all in javascript.Code is available on github

From the How It Works page I get the impression the author knows what he's talking about. (You'll want to read it, the way he wrote his javascript implementation is interesting in it's own right)

Perhaps you can borrow some insights, or even code (forks are welcome, I didn't see a license beyond the copyright declaration).

Elson answered 25/9, 2012 at 22:56 Comment(0)

No, since it depends on the hashing that's being used on the password. However, running quick dictionary attack, checking lenght, small/big letters, numbers and symbols and commonly used combinations of them (e.g. "123") can give you some perspective about how strong the password is.

Keil answered 25/9, 2012 at 8:22 Comment(6)

I think we can suppose that passwords are stored not hashed so we can just try symbol by symbol or something else. All I need is the formula to determine that password a will be cracked instantly but asdsdvf@#234324|.,dsfs only in 309 sextillion years – Bozarth 25/9, 2012 at 8:26

If passwords are stored plainly, I'll give your second example no more than your first. If you need similar service, why won't you contact authors of the webpage and ask them directly? – Keil 25/9, 2012 at 8:27

@arthur.borisow You just completely discredited yourself on anything security-related. Passwords will be stored hashed (with salt). If you meant "let us just look at plaintext" - the answer still stays the same. You can only get a measure, not an estimate – Elson 25/9, 2012 at 8:33

Have you seen the site I pointed in the question? I need to implement something like that and to achieve this I need to know the algorithm. And yes, I know that passwords should be saved hashed – Bozarth 25/9, 2012 at 8:46

There isn't the algorithm. There can be, on the other hand, an algorithm. Which is the topic for the whole another question - How to implement features from the answer below? – Keil 25/9, 2012 at 8:50

you are right, I must have answered the wrong question, thanks – Bozarth 25/9, 2012 at 9:21

0. Really obvious attacks

1. Dictionary attacks

2. Brute force

3. Combined methods

Recommended topics

Hot tags