From a purely algorithmic, or mathematical, perspective, cracking passwords is a fascinating problem.
From a user’s perspective, however, it’s not that fascinating at all. In fact, it’s downright frustrating. One of the best examples of that frustration is the scenario you outline: one sites’ “great” password might be considered horribly insecure by another.
What’s a user to do?
My recommendation? Create strong passwords that don’t need a password-strength meter at all.
Become a Patron of Ask Leo! and go ad-free!
Different schools of thought
Ask different IT pros about the best way to generate a strong password, and you’ll get about as many different answers as people you ask. There’s no agreement on what makes a password-creation technique both safe and easy enough to use.
Different people prioritize:
It turns out the same is true for password cracking and password-strength meters: they all have different priorities.
Priorities when cracking
A hacker trying to crack a password database wants to get the highest return on his investment in time and technology. That means cracking passwords that are easily crackable first, and then maybe moving on to others later.
As pointed out by Steve Gibson (on his excellent passwords haystack page):
Once an exhaustive password search begins,
the most important factor is password length!
Meaning that if a password search is simply running through all possible passwords — a so-called “brute force” attack — then the longer your password, the less likely it is to be discovered.
Many password-strength meters prioritize this concept or rely on it exclusively. The first strength meter you used probably falls into this bucket. A 20-character password — any 20-character password — would take centuries to discover using brute force methods. On the other hand, an eight-character password — any eight-character password — is easy to crack these days.
Of course, there are other methods.
Alternate approaches to cracking
Thanks to database breaches in the last several years, a lot of information about real passwords used by actual people has become available.
I’m sure you’ve seen the “top X worst password” lists that appear every year or so. That’s the result of analyzing those databases. It’s also just the tip of the information iceberg.
Researchers analyze that information to see how people try to make their passwords more obscure. Then they transform what they find into computer algorithms, which can then be used in password-strength meters.
For example: the research shows that simply replacing some letters in your favorite password with similarly formed letters doesn’t add much security to an otherwise bad password. “Password” is a bad password, but “P4ssw0rd” is no better. If you jump around with capitalization, or maybe add a special character or two to the end, you’re still no better off. “Password” is still bad, and “pAsSWoRd22” really doesn’t help much at all.
Trying to improve a password by making it harder to guess is almost bound to fail. Not because hackers will guess it, but because they’ve already seen your method being used in massive collections of stolen passwords.
Remember, hackers are researchers too. If there’s something even a few people do to obfuscate their passwords, hackers probably know about it.
If it’s ever been used…
One more approach to password cracking is a different kind of “brute force”: just try all known passwords.
As we’ve seen, researchers (and hackers doing their own research) often use huge databases of hacked passwords — passwords that people actually use.
Sometimes there’s no “research” involved: they just try them all.
If your password has been used even once, anywhere that has suffered a breach, it may be in one of these massive databases. It doesn’t matter how complex or secure it may be. It could still be part of the hacker’s future attempts on other services.
Alternate approaches to strength meters
With all the different ways hackers can figure out passwords, it’s really no surprise that strength meters might not take every single approach into consideration. The result is that, depending on your proposed password and the approaches that a particular strength meter might look for, the same password may pass as “secure” on some meters, or fail as “easy to crack” on others.
It’s frustrating. I get it.
And that’s also why I can’t point you to a single password-strength meter I would consider “the best”, because I don’t know what approaches they take into account, and what approaches they overlook.
If you must use a strength meter, use more than one. If any report your password as easy to crack, believe it and choose a different password.
But we can also learn something about passwords from everything we’ve discovered so far.
Creating better passwords — no meter required
There are two characteristics that put passwords at risk:
- Any kind of pattern. Be it a pattern you see, or a technique you use to make passwords obscure, if there are repeatable steps to make it work, then those steps (or algorithm) are a pattern that can be discovered.
- Any kind of re-use. No matter how strong it is, if your password is discovered in one database, it could become part of the hacker’s arsenal of passwords to try elsewhere.1
The solution is simple:
- Use completely random passwords, long enough to make brute force attempts unfeasible.
- Never reuse passwords. Period.
Yes, it’ll require that you use a password vault, since those passwords fail the “memorable” test. As I’ve said many times, using password-management software is safer than not using it, specifically because it allows you to use these super-strong random passwords. It’ll even help you create them.
What I do
I rarely pay attention to password-strength meters, and I certainly don’t go looking for them.
Instead, I let LastPass generate 20-character completely random passwords for me. Here’s an example: z9UBwPn7kDUMCe4SKjEh.
It passes both of your password-strength meters with flying colors.
For bonus points, consider adding two-factor authentication to your accounts whenever possible. That way, even if your password is discovered, hackers encounter an additional, nearly insurmountable barrier protecting your account.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 8:53 — 4.1MB)
42 comments on “Why Do Password-strength Meters Give Different Results?”
‘As pointed out by Steve Gibson (on his excellent passwords haystack page…..’ – Excellent? Not so much. Thanks to good ol’ Kerchoff’s principle, the advice on padding is actually pretty bad.
‘Yes, it’ll require that you use a password vault, since those passwords fail the “memorable” test.’ – You’ll not necessarily need a vault. You could write ’em down. Realistically, in a home environment, that’s every bit as secure – perhaps even more secure – than using a password manager which, at some point down the road, will almost certainly be breached. While LastPass hasn’t lost any passwords (yet), it has had some near misses:
Too, there are a number of strategies you can use to create passwords that are both memorable and hard to crack. For example, you could use the first letter of each word in a phrase – ‘Bunnies Are Tasty,’ say – plus the first three letters of the website on which the password will be used plus the last digit of the year in which you born plus a symbol. So, the password for AskLeo would be BATask7& while Amazon would be BATama7& (obviously, you’d want something a bit longer). Again, this method is probably more secure than trusting your passwords to a third-party.
It’s funny that you mention writing down passwords and keeping them at home. I have to keep a lot of passwords related to my clients, so I keep them on an encrypted USB drive, in a locked drawer, and behind a Pit Bull. it’s a form of password security. I also use Leo’s method, in that those passwords are 20 character, randomly generated passwords.
I use a password manager for passwords that don’t matter (it’s the easiest and quickest way to deal with ’em); those that do matter are kept in my head. To my mind, It makes no sense to trust your banking credentials and other sensitive logins to a third-party as doing so simply increases the risk that they’ll be exposed. As I said, it extremely likely that the management companies will be breached sooner or later.
I wouldn’t trust a password strength meter unless it were on a website I absolutely trusted. A hacker could easily set up password strength meter website to phish for passwords.
Erm, why would they want to do that?
Erm … can’t believe you asked that! Read Leo’s article. This reminds me of the discussions about the Equifax hack in AskLeo’s Sept 19 article. The more of your information you put out there, the less secure you are. You know, like putting your SSN out there to see if someone has it.
I think Ray’s being sarcastic.
As I said to Mark, entering a potential password into one of these things is entirely non-problematic so long as you’re not also giving out other information (such as your email address, say).
Not to belabor this topic, but most people formulate the same pattern for their passwords, so if you know one of their passwords, you can decipher other variations (if the hacker wants to target someone). Next, when you visit a site you expose your IP address (location), and your browser, machine specifics. Depending on the site, it can/will also identify at your cookies and know what sites you typically visit and your affiliations, such as where you bank or invest. The site can load additional tracking cookies and scripts on your machine to collect information for transmittal upon your next visit to the site. Perhaps you don’t need to worry about a well-known security company, but Mark’s point was that you can easily be a victim of a phishing site or a site claiming to test your password. So, submitting your potential passwords is not “entirely non-problematic”. The internet is problematic, that’s why we’re always having these types of discussions. I’m not even giving consideration here to the fact that many people will submit their email addresses without thinking twice about it if they think they’re getting something for “free”.
“Not to belabor this topic, but most people formulate the same pattern for their passwords, so if you know one of their passwords, you can decipher other variations (if the hacker wants to target someone).” – The attacker would need to both know the formula and where to use it. It’s really not an issue.
“Next, when you visit a site you expose your IP address (location), and your browser, machine specifics. ” – So what?
“Depending on the site, it can/will also identify at your cookies and know what sites you typically visit and your affiliations, such as where you bank or invest.” – No, websites cannot do that – unless, maybe, you’re still using Netscape Navigator or some other ridiculously antiquated browser that contains a cross-site cooking vulnerability.
I suppose I should have considered sarcasm on Ray’s part. His other comments are typically well considered.
Mr. Nottinboom, I just want to mention that I have tried LastPass on your recommendation twice in the last four years and have become frustrated in trying to use it. While I consider myself fairly computer literate, the software has managed to defeat me every time. I love the idea of a vault for my passwords. It’s trying to get the password out of the vault that’s almost impossible. LastPass gives you range of options when you log on many of which are very confusing and I find that I have multiple passwords for a site, none of them are tagged so I can select the most recent. The documentation is pretty poor. I have called their customer service site several times with no joy. So I have given up. Do you have another application you would recommend? Also, please don’t take these comments as derogatory. I’m sure that LastPass works well for most people. It just isn’t a good fit for me.
Try RoboForm. It works well for me, with only an occasional extra effort required because of the way some sites set up logins.
There are many different password vaults. Roboform is another tried-and-true one, as is 1Password, Keypass and others.
I use Lastpass and think I understand your problem. My wife and I have accounts at the same place. We each have different user names and passwords. I keep both Lastpass records on my machines because I do most of the work with these accounts.
Let’s assume we’re dealing with 2 accounts at Acme Bank and you have created 2 Lastpass entries, one for each account. Both of these entries will have the same URL field and probably the same Name field. However, the Last pass entries can be edited after you create them by clicking on the little wrench icon to bring up the edit screen. The Name field is completely arbitrary and you can change it to anything you want. Change one to something like Acme Bank (John) and the other to Acme Bank (Mary).
Under Advanced Settings make sure Autologin is NOT checked.
When you visit the site you should see the Lastpass icon with the 3 dots in each of the fields to be filled, usually 2, one for the user name and another for the password. The icon will have a little number in the lower right corner indicating how many matching Lastpass records exist for this site. Click in one of the fields to be filled in. A small window should open showing a short form of all the available records; most importantly these short forms will contain the Name field so you can distinguish the various options. Click on the desired entry. The fields should be filled in. Occasionally the fields don’t fill in. If so, click in the other field. Once the fields are filled you must then manually click on any “Enter” type button that is available.
To confirm this: if I go to the Dropbox sign in page and click the LastPass icon, it gives me a list of two Dropbox accounts to choose from – personal account, and work account. Likewise if I go to the Gmail log in page, I’ll get a list of Gmail accounts to choose from. Clicking on the required account will then get LastPass to fill in the appropriate password.
Firstly, I have to disagree that “P4ssw0rd” is no better than “Password”. I agree that it’s still extremely insecure, but it’s gotta be at least a little better.
Secondly, I’d very much like to know the name of the website that said that a 20-character password could be hacked in 3 seconds, if you’re comfortable giving that info out. I’d love to see the results with your Last Pass-generated password.
If security is on a scale of 0-100, is 1.1 more secure than 1. Yes, but by an insignificant amount.
For that matter, an increase from 1 to even 10 (on a scale of 0-100) would be abysmal!
I think that User ID and Password is only half protection. The other half I believe should fall on the site being accessed. The host should be able to positively identify the device calling and lockout any device that doesn’t meet the required ID that was established by the host. Some sites do this by “3 strikes you’re out” rule. The Host cold also send a cryptographic hash to the computer when an account is being set up. This hash must match when a caller accesses the site.
There are other methods that hosts can use but far too many don’t use anything that even approaches this kind of security.
I believe some sites do this. After having you sign on the first time and verifying your identity, perhaps by asking you to answer some secret questions it will leave an encrypted cookie with a unique token behind so that the next time it can see if the device you’re using is “yours”. If you’re signing on from your regular device it requires only a UN and PW. If you’re signing on from a new device it will institute additional verification steps; perhaps extra questions or 2 factor verification.
Why can’t any site allow one password attempt every 5 seconds by a user by the same name, that is if the first attempt is wrong wait a short 5 seconds before the next attempt is allowed? And then maybe after 5 attempts make the wait time 5 minutes. This would seem, to me, that hacker’s computers, no matter how fast would have trouble guessing even a simple 8 character password. I’m sure there is a reason, but what is it?
Some websites do something similar. After a few failed attempts the time between logins progressively longer.
Perhaps ALL websites should be forced to use an ever-lengthening time between password attempts. Wouldn’t this solve the problem once and for all?
Not once and for all, but it would add a layer of security.
Not at all. That solves ONE type of attack. But if the hackers are able to steal the entire password database – as is the most common in large scale hacks – they can then pound away on the database at high speed on their own computers until they crack the passwords.
Hackers do NOT attempt to break in “live.” What they do instead is to hack in by some other route, and then steal (download) the Master Password Database! Once the hacker has THAT in his possesion, he’s free to hack away at the passwords at his leisure, free from any constraints imposed by the login system.
The only real defense against this is a Password Database composed of passwords encrypted by a salted and secure cryptographic hash. Alas, too few online services take that much trouble.
Actually this is incorrect. Hackers absolutely do try to break in “live” in addition to the techniques you outline. I see it constantly across all my sites. The difference, perhaps, is that they automate these “live” attacks. Every login, every server, every site is under a constant, slow, attack in this manner.
I’ve been a LastPass client for many years. Love it…trust it.
Just curious that you used the “sample” password z9UBwPn7kDUMCe4SKjEh…..when adding one or two special characters (like & or % or *) would probably double the strength……if for no other reason than their infrequent use! (vis-a-vis your hacker’s library comment).
In my opinion, anyone who ISN’T using LastPass or something similar, is just “waiting” for their identity theft “experience”.
Cheers and keep up the great work!
Actually adding a character makes it in the order of 100 times stronger. A standard keyboard is known as a 101 key keyboard.
I’ve encountered many sites that forbid special characters or limit you to only a few. Most sites don’t tell you what the constraints are on length, min and max, and character set. You have to figure it out by trial and error. Unfortunately, you seldom get an error message telling you why your choice isn’t acceptable. I’d like to use 20 characters in all passwords but most of the sites I’ve encountered won’t allow that many.
A major broker limits you to 8! But I know that have other safeguards in place.
Equifax created their PINS to unfreeze/freeze your credit report based on the date and some other information that was highly guessable or at least limited the universe of available PINS to a very small number.
Some sites don’t encrypt your password and store it in the clear. Or they encrypt it with their own simple password which the bad guys steal along with the database of passwords. If you can click the “I forgot my password” link and get your original password back they are a complete security failure. Close your account and move on.
Not all the problems are at the user end. The poor practices on the vendor end, whether from stupidity, sloppyness, or whatever are just as bad.
I’ve used Keep Pass, but in my case I preferred Last Pass. All I have is a desk top machine so maybe that has something to do with my preference.
One thing that I do like better with Keep Pass is that it is portable so you can keep it on an USB drive and take it to other machines. (I’ve never been able to do that with Last Pass. As soon as the internet goes away the “Pocket” loses all the data you put into it.)
It was also unhandy to keep up two data bases when they are not sync’d, however.
Keep Pass also operates a little different in that it uses a lot of copy and paste. There are keyboard short cuts for most of the necessary maneuvers, so over time you would remember them.
It’s free and I’ve seen it on the Ninite website if you want to try it.
Lastpass syncs between all your devices automatically. It keeps a local copy on each device so if the Internet is not available you can still use it except for perhaps the very last addition/change you made very recently.
I hate passwords.
I do know why they are there.
I also know as you pointed out they can be hacked, cracked and stolen.
Wouldn’t any password strength meter be obviously suspect as a phishing ploy? Why would anyone submit their own password to such a site?
I liked Rays approach to WEB site passwords memorable and clean.
I use levels of passwords for most web sites i use a common word and a $ on the end i couldn’t care less if it gets stolen or hacked it will only get you to sites i will most likely never visit again. For important sites i use a passphrase add a Symbol to the front and underscore to the end and my initials. easy for me to change and remember.
For our company network i wrote my own Pass Generator, it doesn’t store or remember passwords it generates them from a passphrase (username), it has three levels Simple, Complex and Secure, it utilises a master pass to unlock it, however knowing the master pass doesn’t give you access to the passwords you would also need to know the Passphrase from which they are generated, it also emails me each time it is used with the Pass phrase that was entered the User that attempted and the computer it came from, this is in case anyone grabbed a copy of it and tried to duplicate users passwords not that it is readily available to anyone
Pass phrase Entered: johnsmith2017
User Name: user
Computer Name: ICT
Public IP: 220.127.116.11
Local IP: 169.254.165.185
What about systems that lockout a hacker after 5 failed attempts?
Would that not keep a hacker from trying to try all billion passwords?
If you read the previous comments, you’d see that it helps a little, but most hacks are stolen databases which contain encrypted passwords. Longer passwords are the best protection against those being cracked.
“What about systems that lockout a hacker after 5 failed attempts?
Would that not keep a hacker from trying to try all billion passwords?”
There are programs that can lockout after a predetermined number of attempts, however anyone who has run Terminal Servers will tell you that they get literally thousands of brute force attempts per day we have a running blacklist of 1400 IP Addresses that refreshes with new IP’s every couple of days. Most brute forcing is done by Bots with VPN’s when you block one IP another replaces it.
Leo, you wrote:
“If you must use a strength meter, use more than one. If any report your password as easy to crack, believe it and choose a different password.”
Personally, I would modify this somewhat. If I’m going to use a password meter, my goal would be for me to find one that is both accurate and trustworthy (and, therefore, reliable).
I’d evaluate several meters (on reputable sites, using https) by feeding them several (never-used) passwords/phrases, both strong AND weak, and seeing how well each of the meters identified the strength or weakness of each passphrase.
Once I had identified a decent meter, I’d stick with it.
However, one should never rely on a password meter exclusively — it should only be for general guidance or for cautionary purposes. While a well-constructed passphrase that is “approved” by the meter should do fine, the two key words here are “well-constructed.” There is no good substitute for common sense. :/
And finally, since (as others have suggested) online meters can be susceptible to hacking or phishing, I’d try for an offline meter — an app.
I hope this is helpful.
I personally trust LastPass to generate strong passwords. A 20 character password generated by LastPass should be good of a few years.
Ack! Your reply has reminded me of something I most definitely should have remembered to add in my last post!
Speaking of password strength meter apps: if you use a password vault, you may not need one! For example, the Windows version of KeePass has its own password strength meter built right in and visible, directly underneath the password field!
I imagine that most, if not all, major password vaults will have a similar feature — it’s a no-brainer. (If absolutely nothing else, a built-in password strength meter performs covert advertising, by showing just how strong the vault’s randomly-generated passwords are!)
Alas, the Android version of KeePass seems to be missing this feature.
Just take in consideration the worst results from all password s-meters and divide by 2 and i think will be ok !! :)))))