# How strong is your strongest password?



## arnie (Jan 24, 2012)

Warning: Don't use a website that claims to be able to calculate the strength of your password for you. These all assume you are using a random string of character and not a password with common words in it. They all *radically* overestimate the strength of your password.

-----------------------------------------------------------------

To calculate, divide your password into parts. For example if you password is BlackRh0mbus8 then:

"Black" is a common word found in a 1000 word dictionary. 2^10 is 1024 so we can estimate 10 bits of entropy. (a dictionary is just a list of common words. Yes it includes all slang, abbreviations, team names, proper names and anything else you can think of)

"Rh0mbus" is slightly less common so it would be in a 8000 word dictionary. 2^14 is 8192 bits so we can estimate 14 bits.

Remember that if the words are often found in that order together, then the password is far far far weaker. "PackersFan" is just horrible, because it's such a common string. "CorrectHorseBatteryStaple" is excellent because those words are never seen in that order together like that. (until recently)

Each number is worth 3.2 bits

Since Black and Rhombus are both capitalized that adds a bit each.

The 0 in rh0mbus is a common letter substitution so add one bit for it.

Add all of it together and you get 30 bits

So it will take a password cracker 2^30 tries = 1 billion tries to guess this password. At 1,000 tries per second that's 12 days to crack it.

Handy table of bit strengths:


```
(Character set)                                     (...)  (number of bits)

Arabic numerals (0–9) (e.g. PIN)                     10     3.322 bits
hexadecimal numerals (0–9, A-F) (e.g. WEP keys)     16     4.000 bits
Case insensitive Latin alphabet (a-z or A-Z)             26     4.700 bits
Case insensitive alphanumeric (a-z or A-Z, 0–9)     36     5.170 bits
Case sensitive Latin alphabet (a-z, A-Z)               52     5.700 bits
Case sensitive alphanumeric (a-z, A-Z, 0–9)             62     5.954 bits
All ASCII printable characters                       95     6.570 bits
All extended ASCII printable characters               218     7.768 bits
Diceware word list                                           7776     12.925 bits
```
Example:










*Summary*: To choose a good password that's easy to remember, pick 4 completely unrelated words are string them together. The more random and nonsensical, the better. This website gives examples of good passwords:
*
http://correcthorsebatterystaple.net/*


----------



## RoseWhiteRoseRed (Apr 14, 2013)

lol this is really confusing to me. but I can say that my password is not strong at all. I couldn't do the calculations


----------



## Monotony (Mar 11, 2012)

114


----------



## Vuldoc (Sep 8, 2011)

Edit: According to this website Strength Test The bit strength for my password is 95


----------



## Noca (Jun 24, 2005)

55.5


----------



## arnie (Jan 24, 2012)

Vuldoc said:


> Edit: According to this website Strength Test The bit strength for my password is 95


That website doesn't know if you have words in your password or if it's just random letters.

For example it thinks BirthdayParty is 50 bits, because of it's length. It's far far less. It's not even 20 bits since the words are commonly found in that string.


----------



## Vuldoc (Sep 8, 2011)

arnie said:


> That website doesn't know if you have words in your password or if it's just random letters.
> 
> For example it thinks BirthdayParty is 50 bits, because of it's length. It's far far less. It's not even 20 bits since the words are commonly found in that string.


So it's wrong... It says right there there's no guarantee the results are perfect.

I still have confidence in my passwords to keep out the average hacker so meh...


----------



## arnie (Jan 24, 2012)

Vuldoc said:


> So it's wrong... It says right there there's no guarantee the results are perfect.
> 
> I still have confidence in my passwords to keep out the average hacker so meh...


The average noob hacker can download tools on the internet that do all the cracking work for him. It's a point and click affair:

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/#p3n


----------



## lonelyjew (Jan 20, 2010)

I've never bothered with crazy passwords, but when there was a foiled attempt to hack into my gmail account from China, I activated their second layer lock, which requires you to enter a randomly generated number after giving your password. This number is available only via a phone which you've registered with them, and cycles to a new random number every two minutes or so. I'm sure they could get in somehow, but it'd take some very sophisticated techniques. That's the wave of the future imo.


----------



## typemismatch (May 30, 2012)

Holy mother of christ. my head hurts


----------



## Consider (May 1, 2013)

Seventyteen


----------



## sansd (Mar 22, 2006)

Much stronger than most of the other passwords I use.


----------



## Archaeron (Dec 16, 2012)

It would take 12 trillion years to hack my password according to http://howsecureismypassword.net/

Edit: 82 bits on that Strength Test linked above.


----------



## talisman (Aug 5, 2005)

I have started using long random character passwords on many websites, but since these are impossible to memorise and use for day-to-day activities I'll exclude them and just try two I use on a daily basis. They seem to be coming out at an average of 36 bits on 'Strength Test' link but since neither are dictionary words they could be more secure than they seem.


----------



## Nono441 (May 14, 2012)

My master passphrase is 80 bits (20 random hexadecimal characters). I developed my own password derivation tool and password manager a few months ago, all my other passwords are derived from this passphrase and can have up to 80 bits of entropy (512 bits of pseudo-entropy) maximum. But that is overkill and many websites still have password length limits.

I still use crappy, old ~15-bit entropy passwords on some sites but I've upgraded most of them.

EDIT: the website rates the output of my password derivation tool (default settings) at 137 bits. The maximal settings give 391 bits. The website seems to underestimate entropy significantly for long passwords while overestimating it for shorter passwords. Of course those values are somewhat meaningless as the entropy is upper-bounded by the entropy of the master passphrase by definition.


----------



## gorbulas (Feb 13, 2004)

I use one password on throwaway accounts (easy to hack I suppose) but on the accounts that matter I increase the length and diversity. I know its good practice to have different passwords for each account but sometimes you can't do that due to the number of accounts we have to have . My passwords are reasonable according to that website. I am too lazy to do by the method in the OP.


----------



## arnie (Jan 24, 2012)

typemismatch said:


> Holy mother of christ. my head hurts


Which part was confusing? Please let me know how to make this easier to understand. Thanks.


----------



## arnie (Jan 24, 2012)

Archaeron said:


> It would take 12 trillion years to hack my password according to http://howsecureismypassword.net/
> 
> Edit: 82 bits on that Strength Test linked above.


Apparently it would take 8 million years to crack the password:

sayfriendandenter

All of these websites assume you are using a perfectly random string of characters. Not an actual password, with words in it.


----------



## gorbulas (Feb 13, 2004)

arnie said:


> Apparently it would take 8 million years to crack the password:
> 
> sayfriendandenter
> 
> All of these websites assume you are using a perfectly random string of characters. Not an actual password, with words in it.


the info down below gives good advice still. word and only letters and comment about the length.


----------



## Archaeron (Dec 16, 2012)

arnie said:


> Apparently it would take 8 million years to crack the password:
> 
> sayfriendandenter
> 
> All of these websites assume you are using a perfectly random string of characters. Not an actual password, with words in it.


True, luckily my password is very random.

What I did is: make a very difficult to remember pattern of random letters/numbers/signs and make a variation on it for every account. Then the only thing you actually have to remember is that variation. Even if that variation is an existing word, you still have a solid password.

Note for the hackers: I've just changed my password


----------



## Nono441 (May 14, 2012)

Archaeron said:


> True, luckily my password is very random.
> 
> What I did is: make a very difficult to remember pattern of random letters/numbers/signs and make a variation on it for every account. Then the only thing you actually have to remember is that variation. Even if that variation is an existing word, you still have a solid password.
> 
> Note for the hackers: I've just changed my password


Indeed. That is actually the principle my tool uses as well, except in a more complex way. I think it's the best compromise - trying to remember too many complicated passwords you'll just end up forgetting them and writing them down on paper (or worse, in a file on your computer) which is very bad.

The downside of your approach, though, is that if one password on any of the websites you frequent is compromised, all of them are potentially compromised. This should never happen in real life as passwords should be hashed, but it just takes one crappy website with poor password handling practices and you're a goner


----------



## Cileroot (Mar 6, 2012)

How about this?

I basically have 2 roots for passwords. One root is for lower priority accounts and stronger is for more personal of formal things.
Both roots have random letters mixed with numbers and capitals (no words). But on different websites I change only one or two characters (or add 1-2) to certain places in the password so if someone hacks one of my accounts, the same password will not work for other accounts. And should I discover that someone has hacked one root, I can easily make up a new root and change all other passwords before any harm is done.

Easy root: 6 characters + extra
Strong root: 10 characters + extra

Is my pass stong?

I've had such system since I was 8 or 9 and made my first account in Runescape  No one hasn't been able to hack any of my accounts (to my knowledge)


----------



## Archaeron (Dec 16, 2012)

I guess that's okay. My random thingy is 11 characters long + a variation on it every time.



Nono441 said:


> The downside of your approach, though, is that if one password on any of the websites you frequent is compromised, all of them are potentially compromised. This should never happen in real life as passwords should be hashed, but it just takes one crappy website with poor password handling practices and you're a goner


That's true.

I was just thinking of the following technique: Remember a sentence of which you think when you go to a particular site, then abbreviate it. For example: If you go to SAS and think "omg! my life's so f* but I'll survive it" then you could make a passord like: /SAS/&0MG!mL'sS#!-bI'11Si The pattern you use here can be the same for every website, otherwise it'll become very hard. In this example I used the first letter of every word, replacing certain letters with numbers (O -> 0, L -> 1).

Then when you're going to log in just think of that sentence and combine it with your pattern. Easy to remember for you, but no other human being will ever be able to figure out what it means. You also have a unique passord for every site then.


----------



## Nono441 (May 14, 2012)

Archaeron said:


> I was just thinking of the following technique: Remember a sentence of which you think when you go to a particular site, then abbreviate it. For example: If you go to SAS and think "omg! my life's so f* but I'll survive it" then you could make a passord like: /SAS/&0MG!mL'sS#!-bI'11Si The pattern you use here can be the same for every website, otherwise it'll become very hard. In this example I used the first letter of every word, replacing certain letters with numbers (O -> 0, L -> 1).
> 
> Then when you're going to log in just think of that sentence and combine it with your pattern. Easy to remember for you, but no other human being will ever be able to figure out what it means. You also have a unique passord for every site then.


Decent, though if someone knows how your method works he could try a few patterns and a few likely sentences, but it's way better than two words glued together at any rate


----------



## AceRimmer (Nov 12, 2008)

I keep the passwords of major accounts in Keepass on a USB drive. Those pw's are 60+ characters long of randomly generated gobbly ****. My Keepass password is 52 characters long of incoherent words and numbers. Throwaway accounts all have the same easy password.


----------



## renegade disaster (Jul 28, 2009)

short answer ,strong as my boner.

(as strong as steel)


----------



## AceEmoKid (Apr 27, 2012)

Depends which account password. Weakest is 40, while my strongest is 66.


----------



## nullptr (Sep 21, 2012)

Well if they were all random ascii characters it would be 255^9 which would be 4,558,916,353,692,287,109,375 different possibilities. but since they're not, idk. I don't feel like counting entropy.


----------



## arnie (Jan 24, 2012)

galacticsenator said:


> Well if they were all random ascii characters it would be 255^9 which would be 4,558,916,353,692,287,109,375 different possibilities. but since they're not, idk. I don't feel like counting entropy.


A lot of ascii characters aren't printable bro.


----------



## nullptr (Sep 21, 2012)

arnie said:


> A lot of ascii characters aren't printable bro.


True to dat. And getting over being lazy my password has 35.41 bits of entropy, I don't think it's that safe though.


----------



## Revenwyn (Apr 11, 2011)

I don't know how this would see how strong my password is because let's see, it contains an upper case letter, a number, a punctuation mark, and contains words that are actually rare. One site was guessing 85. I can say I've never been hacked, even on old 25 bit passwords.


----------



## paul oakenfold (Jan 15, 2012)

i believe you need to educate yourself more on this stuff than talk about like you know what you are talking about...https://www.grc.com/passwords.htm

is a well known fact that some passwords cannot be cracked that easy...

how would you crack this one?

B51A1796E43AABCEF438E0FA96183B0DD8DE0E888FB90072F62BF1C18713BEB4

and how much computer power would it take plus how many years?

bwt, i am not an expert in this but i have read articles about them...the easiest password to crack are words in dictionaries though...


----------



## nullptr (Sep 21, 2012)

I actually happened to just today right a xor encryption program, it's a runnable jar so just click on it, it should generate pretty safe passwords unless somebody decompiles it and finds the key :lol.
https://dl.dropboxusercontent.com/s...pG7cX-wVpgu_7w18DRA8ub_iKDlXrgLxlrdSaTvg&dl=1


----------



## Lemonmonger (Mar 12, 2013)

22.6, 45.1, 29.4, 75.4, 77.8, 45 and 21.2. Those are for all my active accounts elsewhere. I don't use numbers or anything wacky, though. I couldn't remember something like that. xD


----------



## AngelClare (Jul 10, 2012)

Use misspelled words. MowntinDue284

P.S. Isn't it risky to test your password strength on a website?


----------



## Beingofglass (May 5, 2013)

I use weak passwords.

I learned my lesson back when I was playing WoW some years ago.


----------



## Revenwyn (Apr 11, 2011)

Beingofglass said:


> I use weak passwords.
> 
> I learned my lesson back when I was playing WoW some years ago.


I had a strong password AND an authenticator. I just quit in January though. Got to 90, then quit.


----------

