Monthly Archives: March 2013

Quality of Online Password Checkers

There are many online password checkers on the Internet. In this post, we evaluate 24 of them that are somehow serious. We expect all these checkers to work well for common trivial cases – i.e. to recognize a very simple weak password as a weak password and a very complex strong password as a strong password. But, just to be sure, we do test that feature too. Our primary focus here, however, is on passwords that are interesting somehow. The main goal is to see how many of the tested password checkers can evaluate strength of passwords correctly.

Smarter Attacks = Better Checkers

Now, what does it mean to evaluate a strength of a password correctly? It should be noted that from the 24 checkers we compare here, few of them actually support some kind of a dictionary attack. This is why we focus solely on brute-force attacks, which is what all the tested checkers support. Password checkers themselves do not really perform brute-force attacks, they just try to count or estimate how long would it take to an attacker to perform a successful brute-force attack on the given password. We think that the smarter attacker the password checker can “simulate”, the better the password checker is. For example, assume we have this very simple password “qregjperb”. It is simple because it uses lower case Latin alphabet characters only – i.e. set [a-z]. Since it is known that many computer users do use weak passwords, a smart attacker might try to crack this password assuming the limited character set. In this case of 8 characters long password, the attacker would end with approximately 268 possible combinations (we omit the need to test shorter passwords first because the actual length is unknown to the attacker). On the other hand, not that smart attacker might take, for example, a whole ASCII set of characters (256 characters) and thus face a much larger task of approximately 2568 possible combinations. It is thus obvious that a password checker, which does not consider these “smart” technique of an attacker, tends to claim many passwords as strong while in fact they can be cracked pretty fast.
Continue reading