Is there an existing algorithm in checking password strength? Or re-invent the wheel?

Question

I've been thinking to develop an Android application which will tell the password strength of user-entered password.

In terms of checking password strength, I developed these 2 Algorithms to check it. But I'm having second thought using these Algorithms because I don't think it's efficient. What do you guys think?

Here is my 2 Algorithms:

Average Method

Sample input = Password12@

1. Count the lowercase, uppercase, digits and special characters in the given String.
   Eg.
   Lowercase count = 7;
   Uppercase count = 1;
   Digits count = 2;
   SpecialCharacter count = 1;

2. Get the character count and multiply it to the size of given String.
   Eg.
    (Count * Size)
    (7 * 10) = 70
    (1 * 10) = 10
    (2 * 10) = 20
    (1 * 10) = 10

3. Add the following results
   Eg.
    70 + 10 + 20 + 10 = 110

4. Get the results which is the password strength.
   Eg.
    The password is 110% strong.

Points Method

Sample input = Password12@

1. Set the points such that for every:
    Lowercase = 1 point given
    Uppercase = 5 points given
    Digits = 10 points given
    Special Character = 15 points given

2. Count the lowercase, uppercase, digits and special characters in the given String.
   Eg.
   Lowercase count = 7;
   Uppercase count = 1;
   Digits count = 2;
   SpecialCharacter count = 1;

3. Get the character count and add it to the given point and multiply the size of the given String.
   Eg.
    (Count + Point) * size
    (7 + 1) * 10 = 80;
    (1 + 5) * 10 = 60;
    (2 + 10) * 10 = 120;
    (1 + 15) * 10 = 160;

4. Add the following results and divide it to the size of given String and divide it by 4.
   Eg.
    //4 because count={uppercase, lowercase, digits, special character}
    80 + 60 + 120 + 160 = 420
    420 / 4 = 105

5. Get the result which is the pswword strength.
   Eg.
   The password strength is 105%.

My questions are:

• Which algorithm showed that has a better implementation?

• If the 2 given algorithms is inefficient, is there an existing algorithm that I can use to check the strength of the given password. Not like this, re-inventing the wheel.

Answer 1

A link to open source password strength checker:

https://github.com/dropbox/zxcvbn

I didn't use it, just found it on google, check it out.

Your algorithms don't seem to get the job done well.

First one can be expressed as number of characters n^2, the kinds of character don't make a difference.

Second one is similar, it still doens't mean what kind of characters you input as the points only constitute a constant term in the equation: (d + 10) * 10 = d * 10 + 100 (for digits). It isn't better, it just shows a larger score.

Both algorithm produce a number that is roughly a square of the length of the password, while the time to break it (or strength) depends more on the exponent of length.

Check this article from coding horror: http://blog.codinghorror.com/your-password-is-too-damn-short/

Time to break a random password (from the article):

• 9 characters 2 minutes
• 10 characters 2 hours
• 11 characters 6 days
• 12 characters 1 year
• 13 characters 64 years

The random.org generator is "only" uppercase, lowercase, and number

Answer 2

Both of your algorithms have some inherent issues when checking password strengths:

The first algorithm basically just counts the length of the password and multiply with 10. Using this algorithm the password "passwordpassword" would get a rating of 160%. Way too strong for such a simple password.

The second algorithm is a bit more complex and uses weights, based on the type of character. However using this algorithm, the password "1234" would get a rating of a 100%. I am sure this is not what you want.

A general rule of thumb is to test a password strength based on a list of rules, and then weight those rules (together with the number of rules actually enforced by the password):

• Password must be atleast 8 characters long (10 pts)
• Password must contain atleast a lowercase letter (5 pts)
• Password must contain atleast an uppercase letter (5 pts)
• Password must contain atleast a digit (5 pts)
• Password must contain atleast a symbol (10 pts)
• Password must contain atleast 5 unique characters (5 pts)

You could then add the rules enforced together and multiply that number with the number of rules enforced multiplied by a weight. E.g:

"1234" = (5) + 1*10 = 15

"password" = (5+5) + 2*10 = 30

"password1" = (5+5+5) + 3*10 = 45

"password1234" = (5+5+5+10) + 4*10 = 65

"Password1234" = (5+5+5+5+10) + 5*10 = 80

"Passw@rd1234" = (5+5+5+5+10+10) + 6*10 = 100

This is just a simple formulation of how the rule based approach work. Personally I would weight the number of rules used exponentionally instead, and have a wide variety of rules. Basically, the more rules satisfied, the more complex the password, the more secure it is.