Enter password to test: premaintenance disdainful hayloft seer
too long
your password strength is medium
Enter password to test: NXJCWGGDVQZO
your password strength is weak
Enter password to test: Password1
strong
Your knowledge of password strength is: weak.
Explanation
Password strength is normally measured in "bits of entropy" — the idea being that if a password has been picked randomly from a pool of similar passwords of size N, then its entropy is log2N bits.
The first password I tried above was picked using a method suggested by Randall Munroe, like this:
>>> words = list(open('/usr/share/dict/words'))
>>> import random
>>> random.SystemRandom().shuffle(words)
>>> print(' '.join(w.strip() for w in words[:4]))
premaintenance disdainful hayloft seer
Its entropy can be calculated like this:
>>> from math import log
>>> l = len(words)
>>> log(l * (l - 1) * (l - 2) * (l - 3), 2)
71.39088438576361
This is a strong password—a cracker that tried a billion such passwords a second would take on average about 50,000 years to find it.
The second password is also strong, but not as good as the first. I generated it like this:
$ </dev/random base64 | tr -cd A-Z | head -c 12
NXJCWGGDVQZO
Its entropy is 12 ×ばつ log226 = 56.4 bits.
The third password is, of course, the weakest. password1 is about the 600th most common password (according to Mark Burnett, here) and the initial capital letter is a common substitution that password cracking programs know all about.
- 50.1k
- 3
- 130
- 210