Password Strength Meter, Password Strength Validation

Has anyone seen or created a password strength meter, or password
validator (like at hotmail’s sign up)?

Examples would be great!

On Fri, Aug 04, 2006 at 04:10:20PM +0930, Alex M. wrote:

Has anyone seen or created a password strength meter, or password strength
validator (like at hotmail?s sign up)?

There’s one in the KeePass program ( that’s open
sourced; however I’m a little suspicious of it’s assumptions around the
bit-length calculations, as it won’t be able to understand the effective
size of the character-set used when generating a password.

KeePass is a single-user GUI program, mainly for Windows (there’s a
working unix port), but I’m sure you’ll be able to find the code segment
they’ve used.

Alternatively, figuring things out yourself and presenting your own
calculation of password “strength” isn’t that difficult, once you figure
out it’s all relative anyway. “password” might be a good password;
it’s just 8 random characters from the alphabet - it’s a one in 26^8
(208827064576) chance you’ll guess it. Actually, if the password was
selected from a set of upper-case, lower-case, numbers, punctuation and
so on than it’s even stronger - (26+26+10+31)^8

So you see that you can’t actually say how good a password is per-se,
but you can assume the worst and work backwards. Compare the password to
a dictionary list - there are 96000 entries in /usr/share/dict/words on
my Debian machine, if it matches one if those, it’s a terrible password.
Then, how long is it? If it’s only 2 characters, it can’t be any good
:slight_smile: If it consists only of lowercase letters, you could assume that is
was selected from only lowercase letters (which might not be true), so
rate it low. If it has upper, lower, numbers and punctuation in it, it
was selected from a larger set of characters, so it might be better.

If it is mandatory to use these four different character groups in a
password, notice that this makes it potentially worse than one without a
representative from each group, as long as they were all possible when
the password was created.

Have a look at for an interesting passphrase
generation system, that also lets you read more about some of the basic
thinking behind things. Great fun!

-jim, not really helping I guess.

Alex, you may want to check out ruby-password,

"Ruby/Password comprises a set of useful methods for creating,
verifying and manipulating passwords. It includes an interface to
CrackLib, a library commonly used for checking password strength. "

I can’t vouch for it otherwise, but I am intending to evaluate it
down the road.



Another example of a password strength checker. This is a server side