[wp-trac] [WordPress Trac] #7124: Improve Password Strength Meter

WordPress Trac wp-trac at lists.automattic.com
Wed Jun 11 21:57:47 GMT 2008


#7124: Improve Password Strength Meter
--------------------------+-------------------------------------------------
 Reporter:  Otto42        |       Owner:  anonymous
     Type:  enhancement   |      Status:  new      
 Priority:  normal        |   Milestone:  2.6      
Component:  Optimization  |     Version:           
 Severity:  normal        |    Keywords:           
--------------------------+-------------------------------------------------
 The password strength meter is quite weak in how it determines what a good
 password is. Basically, it's using a seemingly arbitrary set of rules and
 scoring mechanisms. While such an approach is simple and easy, it's not
 particularly sound. It's highly arbitrary, easily bypassed (simple
 passwords can be marked as strong ones) and some of its rules are
 seemingly counterproductive.

 Note that the current strength meter rates "12Ab!" as a strong password.

 To solve this, first, we need to understand what a strength meter really
 is.

 What is "password strength" anyway?

 Well, if it's something that we can measure, then the only logical answer
 is to consider how one cracks a modern password. The answer to this is
 simple, and has been for quite a while: Brute Force. Since we only store
 one-way hashes, you have to hash a bunch of passwords from a dictionary or
 from some other source of passwords, and compare them (or use rainbow
 tables or something, but salts can prevent that sort of attack).

 So, if we're measuring strength in terms of brute force attacks against
 our password, then we can only really measure it in terms of the amount of
 time it would take to find the password by random searching. The key here
 is bit strength.

 When you're attacking a modern encryption system, you're doing it with
 brute force. And the bit strength of that is what determines how long it
 takes. A 64 bit key is good, a 128 bit key is better, and so on. So we can
 compare our passwords against each other by considering the number of
 possible combinations of the passwords and then determining how many of
 those there are. Easy.

 To determine the number of passwords possible given an example password,
 we can break it down into two characteristics:
 1. Number of total symbols.
 2. Number of symbols used out of sets of symbols.

 The first of these is simply the length of the password. Longer passwords
 are stronger.

 The second is a matter of symbol types. Realistically, we have four major
 groupings:
 a) Digits
 b) Lowercase alpha characters
 c) Uppercase alpha charaters
 d) Punctuation symbols (typeable symbols)

 Of these, we know how many there are of each: 10, 26, 26, and 31. To
 figure the equivalent bit strength for a password, we do some simple
 mathematics.

 First, we determine how many of the sets were used in the password. That
 gives us the total number of possible symbols.
 Second, we raise that number to the power of the password length. This
 gives us the total number of possible passwords.
 Finally, we take the binary logarithm of that number of passwords. This
 tells us how many bits it is in binary, and gives us a small, measurable
 value for the bit strength of the password. Raising it by 1 bit makes the
 password twice as hard to crack.

 So, some simple Javascript to do this:
 {{{
 function passwordStrength(password) {
         var symbolSize = 0;
         if (password.match(/[0-9]/)) symbolSize +=10;
         if (password.match(/[a-z]/)) symbolSize +=26;
         if (password.match(/[A-Z]/)) symbolSize +=26;
         if (password.match(/[^a-zA-Z0-9]/)) symbolSize +=31;
         var natLog = Math.log( Math.pow(symbolSize,password.length) );
         var baseTwoLog = natLog / Math.LN2;
         return baseTwoLog;
 }
 }}}
 That gives us the bit strength of any given password. A bit strength of 56
 or higher would be likely considered "strong". A password of only digits,
 for example, would need at least 17 of them to reach 56 bit strength.
 While a password of lowercase letters would need to be at least 12 letters
 long. Even a password using lower, upper, digits, and symbols would need
 to be 9 letters long to reach 56 bit strength.

 My example from earlier was "12Ab!". In this system, such a password
 returns a strength of ~32.7. Such a password would not be considered good
 in this system. The relative values would be as follows:
 Bad: Less than 40 bits.
 Good: 40 bits.
 Strong: 56 bits.
 Extra Strong: 64 bits or higher.

 Naturally, this is not a complete system of measurement. A dictionary
 based password can be defeated easily through dictionary attacks,
 regardless of the strength of it measured in terms of "bits". However,
 this is still a significant improvement upon what WordPress is currently
 using.

 I've attached a simple patch to the existing javascript to implement this
 change. Try it. Expand upon it.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7124>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list