This plugin shows the strength of you passwords by telling you how long time it would take to brute force them.
Password Strength tries to calculate how many possibilities the hacker needs to try to guess your password. It makes the assumption that it is possible to test 2800 000 000 of passwords per second - something that, according to ElcomSoft, is possible with Windows Vista passwords, a high end graphics card and the ElcomSoft Distributed Password Recovery software.
How to use Password Strength
You need two html elements to use ‘Password Strength’; an input field and an element to show the time in.
$('#pass').pwdstr('#time');
Comments
Make a comment
Projects
- Accordion (jQuery)
- Airport (jQuery)
- Chat
- Defaultvalue (jQuery)
- Elastic (jQuery)
- Highlight (jQuery)
- Keycan
- Lazy (jQuery)
- Limit (jQuery)
- Password Strength (jQuery)
- Show Password (jQuery)
- Tabify (jQuery)
- Valid8 (jQuery)
Latest posts
- July 8th, 2009 Why are we typing passwords twice?
- July 5th, 2009 Don’t stop password masking; let the user decide
- June 1st, 2009 You can’t validate email addresses with regular expressions
- May 20th, 2009 Konami Code: Why so verbose, when you can make it in 140 characters?
- May 18th, 2009 Let your users know if Firebug slows down your web page.
My “strong” password shows: Forceable in 5867804949393 years, 11 months
I think that’s enough :)
er 21
Oh…. sounds like your 21 character password is all lower-case letters and contains no numbers or special characters :o)
Could it perchance be “dragonlanceisawesome” ? :D
OMG how did you figure it out! hahah
It’s only 22 characters long =)
And you’ve just entered it on some random guys website.
You did check if it sends anything back to the server, did you?
EllisGL is a regular at Unwrongest so I hope he trusts me. But you are right, you shouldn’t try your real password in that kind of input field…anywhere.
Wow, I hadn’t thought about it that way before. Good write up, very clearly written. Have you written previously about password strength? I’d love to read more.
Thanks! No, sorry, this is the first one.
I love it
A password of equivalent strength to the one I use for my gmail account clocked in a dandy “Forceable in 420805123888006 years, 6 months” :) That password is 16 characters.
I think this is an excellent concept!
Forceable in Infinity years ^^
2.0026970703623098e+38 years :P That’s long enough I guess.
When I need a secure password I normally run this command in terminal:
python -c ‘print open(”/dev/urandom”).read(16).encode(”base64″)’
That will normally generate something similar to +q6pAnct0MvFqvZDKbv1Ww==
Which according to this is “Forceable in 2.5650973270106056e+30 years”.
Heh.
apt-get install pwgen
pwgen -s 24 1
-s (secure) 24 (len) 1 (qty)
Nice idea! Here is my version in pure sh-scripting:
head -c 16 /dev/urandom | openssl base64 | pbcopy
It will generate a secure password the same as your Python code line and then copy it into clipboard
The result is a string. Is there the possibility to show weak, strong and very strong as an evaluation of that password instead?
Thank you
I entered 22 letter “a” and got Forceable in 5867804949393 years, 11 months :)
3.4412999530189554e+21 years… phew….
[...] Password Strength - jQuery Plugin [...]
Password like 111111111111111111111 is Forceable in 11324 years, 11 months
But this one: 8Klm+1 is forceable in 4 minutes, 3 seconds
I think second password is much stronger than first.
aaaaaaaaaaaaaaaaaaaaaaaaaa
Forceable in 69717596898410406000 years
Useless but… looks good, this is what the user need.
Real nice Idea!
but why does the password “Password” takes 5 hours, 13 minutes? lol thats the number 1 password. “letmein” takes 2 seconds
Complete Bull Shit !!!!
Yeah you could also use something like this in PHP to secure your password
And that will generate something like this :
2758dc4fe4844a6b2d34bb8fefde13ba
or $string = md5(md5(’string’));
which will echo something like this
2da16a0152d1abebe2cda9e14f3334eb
Cheers, Matt.
It isnt correct.. The hacker can’t know if im usin’ a password with or without capitals. “password” should take just as long as “Password”. But it doesn’t. That’s one serious mistake you made.
I think you must take entropy into account here. I see the wikipedia has an overview on how you could easily make your calculator a little more precise with a few regexes.
http://en.wikipedia.org/wiki/Password_strength
The important part is:
Symbol set N Entropy/symbol
Digits only (0-9) (e.g. PIN) 10 3.32 bits
Single case letters (a-z) 26 4.7 bits
Single case letters and digits (a-z, 0-9) 36 5.17 bits
Mixed case letters and digits (a-z, A-Z, 0-9) 62 5.95 bits
All standard ASCII keyboard characters 94 6.55 bits
The example, is that a 8 character password with single case letters and digits has an entrophy of 41 (8*5.17) - which means that this password will match a 13 character version with only numbers.
I would also argue that if the password is a word, or resembles an english word - you should probably just put 1 minute as a timer - since dictionary attacks are very usual. You could go though the encyclopedia of words pretty fast - and all over again with capital, first letter capital or last letter capital.
However it’s a cool feature to add to the password box!
I believe you already fixed this! :)
I do not think this test takes into acount checking of passwords against a dictionary. If write a word like “morphology”, it says it would take something like 13 hour to brake. But it is a very unsecure password, since a dictionary check would probably take ony a second…
So I preach: long, but not from the dictionary!
1.906312139680692e+221 years
[...] In: JQuery plugins 28 Aug 2009 Go to Source [...]
“!@#$%^&*()1234567890″
Forceable in 3303856452894727 years
[...] Password Strength is a jQuery plug-in that tries to calculate how many possibilities the hacker needs to try to guess your password. [...]
[...] See more at http://www.unwrongest.com/projects/password-strength/Most Commented PostsAjax File upload - Jquery Plugin (18)How to edit /etc/fstab when at Fedora [...]
N96Q3c287DxGygsZ55c8pz8R2IL4F2ym8367eLe839187NrE6y9nAqn187wR9588jGlZg93VC241S465n24V1LMQR821J3Uw46f3u1vrGtV52d6xKVuPdL593gCm2t882L4sg7778ivzm98o4F249RYm2DE55573185851iFLz8lv6WwmZ352Y224ABnq711v3Paf56421Zlq74814t5Z6NH8xx1877NN3555k4V183Y6X68zt2631737382VjO7d5279434mluBNG5139oT1un177jr721Jw72b26123YwDes3Rq2118Uyuh1l685ye86Wr849hI8UC4r54H3L2QH61c2p3H274292z368zl18kJ584K3973827q5j253u1h5983BC19vp8JIZn1O8OqDpJ1pj66EHP55F254CWg46kMcLND4O1eJ2kk17SrTD99r84X7rX3PtcPMQoP2Si2
Would take infinity years to bruteforce.
My mIRC $rand script just kicked the hell out of Blowfish/AES and it looks like I just mashed the keyboard.
well, i tested using 20 characters of ‘q’, and it said
Forceable in 225684805745 years, 11 months
:)
Which is possible, as brute force evolves by testing all possible combinations by length, so before it reaches the length of 20 to test for the combination of all “q”s it would have to brute force all other combinations until 19 of length (26^29/2800000000 seconds) :)
I like it! Thank you!
My problem is, that I can not get it to work with your showpassword-plugin:
If I set the “show password” checkbox and enter sth into the textfield the value of pwdstr does not change.
I tried FF (Win+Linux), IE 7
This doesn’t work.
Forceable in 2.2966252668388745e+107 years
that’s my password!
Any way to get it to work with the show password plug in as well. Played around with it and can get both to work.
I don’t think the algorithm reflects the reality. If I keep pressing ‘a’ as long as the input field allows, I finally get “Forceable in Infinity years”.
Forceable in 1 year, 5 months
hahahah antes disso eu ja tinha alterado a minha senha (altero todo ano) hahahahaah
very nice, thanks.
a lot of b make the job.
Nice job!
I’ve done something similar at http://passwordadvisor.com although the code is not public yet. It will also check for English words, repeated chars (aaa, 000), sequences (123, abc) and other stuff to estimate the cracking time.
There’s also some password tips at the website which some users might find quite useful.
Cheers!
doesnt work in opera .. so .. emm .. it DOESN’T work .