Computing Password Strength

Password strength largely depends on the search space for guessing the password by trying every possibility. The longer the password is and the wider variety of character classes used, the harder it is to guess via brute force. A good metric for password strength is the number of bits of entropy. This can be computed by taking the binary logarithm of the sum of the size of the character classes contained in the password where the character classes are digits, lower case letters, upper case letters, and special characters. The following JavaScript function performs that computation:

function passwdStrength(passwd) {
    return passwd.length * Math.log2([
        { r: /[0-9]/, size: 10 },
        { r: /[A-Z]/, size: 26 },
        { r: /[a-z]/, size: 26 },
        { r: /[^0-9A-Za-z]/, size: 33 }
    ].reduce(function (sum, clazz) {
        if (clazz.r.test(passwd)) {
            sum += clazz.size;
        return sum;
    }, 0));

The above function returns a number related to the strength of the password, but how do you know what’s good enough? Well, RFC4086 has a section on Password Generation that explains how much entropy you need.

There’s one more thing. People re-use passwords, and two different people can also come up with the same password. Attackers often use lists of known passwords when trying to guess a password before attempting to guess via brute force. One could have a high entropy password like “iloveyou1234”, but if it is a known password, it could be guessed in under a second. When creating a new password, it is important to check it against a list of common passwords. A huge trove of known passwords is available through the SecLists archive.

I’ve built a node.js module called passwd-strength around the above function and it includes a check against a database of about 30,000 of the most common passwords.