Measure password strength

Experimental page to measure password strength. Strength is given in bits, the log2 of the search space. Estimates are upper boundaries. If there is any system in the construction of the password, like real words, the strength will be much less. Some attempts are made to account for frequent English words and character combinations.

Candidate Password
Current password strength as bit length is 0 bit (assuming random characters).

A brute force attempt to guess this password would take on average 0 guesses .

What do these bits mean

To get a feeling of what these numbers mean, consider anything really random ending up with a search space of more than 94 bits (2*10^28 possibilities) truely unbreakable (in 2010). If the password should protect an encrypted file or data stream, a 56 bit password can be broken in minutes and 64 bits in hours on normal hardware. An 84 bits password could be broken in weeks on specialized super-computer hardware, but only if a suitably, highly efficient search algorithm is available. The very best hardware might, in very favorable circumstances, find a truely random 90 bit key in under two years (see "Quantifying Shannon`s Work Function for Cryptanalytic Attacks",

To assess use of passwords for internet accounts, it should be noted that it is not possible to try out trillions of passwords for normal web sites. It is better to look at such passwords with respect to the counter measures taken by the web-site operators to prevent password guessing (and access). But it is instructive to look at non-random passwords, containing real language, as they are normally used on the Internet.

70 bits corresponds to a search space of 10^21 possibilities. This is more than the grand total number of all the words ever uttered or written by all humans combined during all of history. The Internet "stores" some 10^19 bytes, most of it not as text and with many duplications. But even if all of it was unique text, this would still be a search space of less than 70 bits. Google indexes some 10^15 bytes of it (54 bits). So, if your password is on the Internet, it is less than 70 bits strong. If it is indexed by Google, it is less than 54 bit strong. Note that if you search for your password, it will be stored somewhere, e.g., Google search terms. So after you searched the Internet for A#E!@G7V4Wd0hqTdAEuh, the strength will not be 127 bits, but less than 54 bits. This decline is simply the result from "uploading" the password which is then stored on server logs and search engines. That is why this page will work out password strength locally, and not send it over the Internet.

Where have all the bits gone

The determination of the strength of a candidate password starts from the assumption that it was constructed out of completely randomly selected characters. Only printable 8 bit characters are considered (ASCII, Latin-1). Then, the candidate password is inspected to find structure and regularities that reduce its strength. The numbers of bits deducted are given in the table below. The top row contains the strength if all characters had been drawn randomly. The last row contains the number of bits left after structure has been accounted for. The non-ASCII characters are not well analyzed.

Raw bits assuming a set of 1 characters 0  startinfo
Obvious keyboard sequences (12345678, qwerty) 0  -info
Worst passwords 0  -info
Character runs (1111...) and multiplet runs 0  -info
Runs of character sets (UPPER, lower, numbers) 0  -info (ignore if small)
Common English words 0  -info
Common English character trigrams 0  -info
Total 0  + 

Measure password strength
Password strength is estimated by client side (in-page) JavaScript. IT IS ASSUMED THE PASSWORD IS SELECTED WITHOUT STRUCTURE OR REAL WORDS! This page can be saved locally and used from local storage. No information should be transmitted from your computer.
Copyright © 2011 R.J.J.H. van Son
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see