This plugin shows the strength of you passwords by telling you how long time it would take to brute force them.
Password Strength tries to calculate how many possibilities the hacker needs to try to guess your password. It makes the assumption that it is possible to test 2800 000 000 of passwords per second – something that, according to ElcomSoft, is possible with Windows Vista passwords, a high end graphics card and the ElcomSoft Distributed Password Recovery software.
How to use Password Strength
You need two html elements to use ‘Password Strength’; an input field and an element to show the time in.
$('#pass').pwdstr('#time');
Comments
Make a comment
Projects
- Accordion (jQuery)
- Airport (jQuery)
- Defaultvalue (jQuery)
- Elastic (jQuery)
- Highlight (jQuery)
- Keycan
- Lazy (jQuery)
- Limit (jQuery)
- Password Strength (jQuery)
- Show Password (jQuery)
- Tabify (jQuery)
- Valid8 (jQuery)
Latest posts
- July 8th, 2009 Why are we typing passwords twice?
- July 5th, 2009 Don’t stop password masking; let the user decide
- June 1st, 2009 You can’t validate email addresses with regular expressions
- May 20th, 2009 Konami Code: Why so verbose, when you can make it in 140 characters?
- May 18th, 2009 Let your users know if Firebug slows down your web page.
My “strong” password shows: Forceable in 5867804949393 years, 11 months
I think that’s enough :)
er 21
Oh…. sounds like your 21 character password is all lower-case letters and contains no numbers or special characters :o)
Could it perchance be “dragonlanceisawesome” ? :D
OMG how did you figure it out! hahah
It’s only 22 characters long =)
And you’ve just entered it on some random guys website.
You did check if it sends anything back to the server, did you?
EllisGL is a regular at Unwrongest so I hope he trusts me. But you are right, you shouldn’t try your real password in that kind of input field…anywhere.
Wow, I hadn’t thought about it that way before. Good write up, very clearly written. Have you written previously about password strength? I’d love to read more.
Thanks! No, sorry, this is the first one.
I love it
A password of equivalent strength to the one I use for my gmail account clocked in a dandy “Forceable in 420805123888006 years, 6 months” :) That password is 16 characters.
I think this is an excellent concept!
Forceable in Infinity years ^^
2.0026970703623098e+38 years :P That’s long enough I guess.
When I need a secure password I normally run this command in terminal:
python -c ‘print open(“/dev/urandom”).read(16).encode(“base64″)’
That will normally generate something similar to +q6pAnct0MvFqvZDKbv1Ww==
Which according to this is “Forceable in 2.5650973270106056e+30 years”.
Heh.
apt-get install pwgen
pwgen -s 24 1
-s (secure) 24 (len) 1 (qty)
Nice idea! Here is my version in pure sh-scripting:
head -c 16 /dev/urandom | openssl base64 | pbcopy
It will generate a secure password the same as your Python code line and then copy it into clipboard
The result is a string. Is there the possibility to show weak, strong and very strong as an evaluation of that password instead?
Thank you
I entered 22 letter “a” and got Forceable in 5867804949393 years, 11 months :)
3.4412999530189554e+21 years… phew….
[...] Password Strength – jQuery Plugin [...]
Password like 111111111111111111111 is Forceable in 11324 years, 11 months
But this one: 8Klm+1 is forceable in 4 minutes, 3 seconds
I think second password is much stronger than first.
aaaaaaaaaaaaaaaaaaaaaaaaaa
Forceable in 69717596898410406000 years
Useless but… looks good, this is what the user need.
Real nice Idea!
but why does the password “Password” takes 5 hours, 13 minutes? lol thats the number 1 password. “letmein” takes 2 seconds
Complete Bull Shit !!!!
Yeah you could also use something like this in PHP to secure your password
And that will generate something like this :
2758dc4fe4844a6b2d34bb8fefde13ba
or $string = md5(md5(‘string’));
which will echo something like this
2da16a0152d1abebe2cda9e14f3334eb
Cheers, Matt.
It isnt correct.. The hacker can’t know if im usin’ a password with or without capitals. “password” should take just as long as “Password”. But it doesn’t. That’s one serious mistake you made.
I think you must take entropy into account here. I see the wikipedia has an overview on how you could easily make your calculator a little more precise with a few regexes.
http://en.wikipedia.org/wiki/Password_strength
The important part is:
Symbol set N Entropy/symbol
Digits only (0-9) (e.g. PIN) 10 3.32 bits
Single case letters (a-z) 26 4.7 bits
Single case letters and digits (a-z, 0-9) 36 5.17 bits
Mixed case letters and digits (a-z, A-Z, 0-9) 62 5.95 bits
All standard ASCII keyboard characters 94 6.55 bits
The example, is that a 8 character password with single case letters and digits has an entrophy of 41 (8*5.17) – which means that this password will match a 13 character version with only numbers.
I would also argue that if the password is a word, or resembles an english word – you should probably just put 1 minute as a timer – since dictionary attacks are very usual. You could go though the encyclopedia of words pretty fast – and all over again with capital, first letter capital or last letter capital.
However it’s a cool feature to add to the password box!
I believe you already fixed this! :)
I do not think this test takes into acount checking of passwords against a dictionary. If write a word like “morphology”, it says it would take something like 13 hour to brake. But it is a very unsecure password, since a dictionary check would probably take ony a second…
So I preach: long, but not from the dictionary!
1.906312139680692e+221 years
[...] In: JQuery plugins 28 Aug 2009 Go to Source [...]
“!@#$%^&*()1234567890″
Forceable in 3303856452894727 years
[...] Password Strength is a jQuery plug-in that tries to calculate how many possibilities the hacker needs to try to guess your password. [...]
[...] See more at http://www.unwrongest.com/projects/password-strength/Most Commented PostsAjax File upload – Jquery Plugin (18)How to edit /etc/fstab when at Fedora [...]
N96Q3c287DxGygsZ55c8pz8R2IL4F2ym8367eLe839187NrE6y9nAqn187wR9588jGlZg93VC241S465n24V1LMQR821J3Uw46f3u1vrGtV52d6xKVuPdL593gCm2t882L4sg7778ivzm98o4F249RYm2DE55573185851iFLz8lv6WwmZ352Y224ABnq711v3Paf56421Zlq74814t5Z6NH8xx1877NN3555k4V183Y6X68zt2631737382VjO7d5279434mluBNG5139oT1un177jr721Jw72b26123YwDes3Rq2118Uyuh1l685ye86Wr849hI8UC4r54H3L2QH61c2p3H274292z368zl18kJ584K3973827q5j253u1h5983BC19vp8JIZn1O8OqDpJ1pj66EHP55F254CWg46kMcLND4O1eJ2kk17SrTD99r84X7rX3PtcPMQoP2Si2
Would take infinity years to bruteforce.
My mIRC $rand script just kicked the hell out of Blowfish/AES and it looks like I just mashed the keyboard.
well, i tested using 20 characters of ‘q’, and it said
Forceable in 225684805745 years, 11 months
:)
Which is possible, as brute force evolves by testing all possible combinations by length, so before it reaches the length of 20 to test for the combination of all “q”s it would have to brute force all other combinations until 19 of length (26^29/2800000000 seconds) :)
I like it! Thank you!
My problem is, that I can not get it to work with your showpassword-plugin:
If I set the “show password” checkbox and enter sth into the textfield the value of pwdstr does not change.
I tried FF (Win+Linux), IE 7
This doesn’t work.
Forceable in 2.2966252668388745e+107 years
that’s my password!
This concept is broken.
Since you base everything on “how long does it take to bruteforce this if I can do 2.8 billion attempts/sec”, one can assume that this scenario involves an offline attack on a unsalted hash (why would you use a unsalted hash anyway?).
If you got the hash you’d do a dictionary attack first, which this (and every other client-side-only implementations) doesn’t take into account. That means “disestablishment” doesn’t take almost 500000 years to crack, it takes <1 second.
Programs like l0phtcrack will also try reversed dictionary workds, “l33t”-speak variants, appending/prepending digits to words etc etc rendering a password deemed strong by any naive javascript password checker broken in minutes if not seconds.
A better way to implement something like this would be a serverside checker that utilises something like cracklib with a decent dictionary, and a clientside script that posts the password via ajax.
Any way to get it to work with the show password plug in as well. Played around with it and can get both to work.
I don’t think the algorithm reflects the reality. If I keep pressing ‘a’ as long as the input field allows, I finally get “Forceable in Infinity years”.
Forceable in 1 year, 5 months
hahahah antes disso eu ja tinha alterado a minha senha (altero todo ano) hahahahaah
very nice, thanks.
a lot of b make the job.
Nice job!
I’ve done something similar at http://passwordadvisor.com although the code is not public yet. It will also check for English words, repeated chars (aaa, 000), sequences (123, abc) and other stuff to estimate the cracking time.
There’s also some password tips at the website which some users might find quite useful.
Cheers!
doesnt work in opera .. so .. emm .. it DOESN’T work .
Good job! ^_^
tanx
tanx for exp
can you integrate password lock in this calculator?
for example we have a policy that sets password lock for 15 min every 3 unsuccessful attempts.
How long for some goverment agency to crack your password?
Easy to feel secure when testing against a lone puny machine without a dictionary.
Nice: “Forceable in 5.0034215192510823e+30 years”
Tip: the type of chars is important (using alphanum + special chars + space).
Some of these attempts at security seem like overkill … the universe is only about 13,500,000,000 years old and earth and it’s sun are only about 5,000,000,000 years old. A couple of capital letters, a couple of lower case letters, a couple of numbers, 1 or 2 special characters, and a couple of random alphanumeric characters thrown in for good measure, all randomly intermixed, should produce good 8 to 12 length passwords that are good for 99% of the passwords needed.
7.904771572642878e+43 years
I guess the are checking total no of given character and then searching for the combination. But i think 1st difficult thing for hacker is to find the password length then the combination..
so its showing Password like 111111111111111111111 is Forceable in 11324 years, 11 months
But this one: 8Klm+1 is forceable in 4 minutes, 3 seconds
This is a little sketchy…
“yourmomsucksballs” is:
Forceable in 12840510 years, 1 month
“yourmomsucksballs123″ is:
Forceable in 151385882561015 years, 8 months
It’s very good.
I like this.
Thanks for share.
And I wrote something to introduce this project for my readers.
You can find the post about this in my website.
If something is wrong,pls figure it out.thanks.
Forceable in Infinity years :)
Forceable in Infinity years~ hahahahahaha
My password is forceable in:
So try your best………..
3.4412999530189554e+21 years
just checked my random password x?CQAcJe$m4!YXsE!$R=vSwSb8_WE%
Password Forceable in 1.769583131372137e+42 years
Wow, but who need this?
awesome…!!!
mine showed
Forceable in 1.0698003678959862e+38 years
It says my password is ‘Forceable in Infinity years’
Haha. This good enough?
9.531242202044135e+61 years