Hello, my name is Jan Jarfalk and I am an interaction designer and interface developer.

I’ve been working professionally with the web since 2002. Back then I had my own company and did everything myself. Now I am a bit more specific - I do usability, accessibility and a lot of client side coding. This, Unwrongest, is my personal lab. This is where I try, learn and evolve.

I am a Swedish citizen from Stockholm that currently lives and works in Sydney, Australia. From here I work for Getupdated's Stockholm based division 'Social Media', where we help our clients to create social networks.

I put function, before design. I love beautiful interfaces, but I like them simple and obvious. I like things that are fast and responsive. Take a look at my projects and I am certain you will notice and appreciate my slipstreamed approach.

This plugin shows the strength of you passwords by telling you how long time it would take to brute force them.

Password Strength tries to calculate how many possibilities the hacker needs to try to guess your password. It makes the assumption that it is possible to test 2800 000 000 of passwords per second – something that, according to ElcomSoft, is possible with Windows Vista passwords, a high end graphics card and the ElcomSoft Distributed Password Recovery software.

How to use Password Strength

You need two html elements to use ‘Password Strength’; an input field and an element to show the time in.



$('#pass').pwdstr('#time');

Comments

  • 28 May 2009 | EllisGL says:

    My “strong” password shows: Forceable in 5867804949393 years, 11 months

    • I think that’s enough :)

      • 29 May 2009 | EllisGL says:

        er 21

        • Oh…. sounds like your 21 character password is all lower-case letters and contains no numbers or special characters :o)

          Could it perchance be “dragonlanceisawesome” ? :D

          • 09 Jul 2009 | ellisgl says:

            OMG how did you figure it out! hahah

    • 29 May 2009 | EllisGL says:

      It’s only 22 characters long =)

    • 29 May 2009 | keccs says:

      And you’ve just entered it on some random guys website.
      You did check if it sends anything back to the server, did you?

      • EllisGL is a regular at Unwrongest so I hope he trusts me. But you are right, you shouldn’t try your real password in that kind of input field…anywhere.

  • Wow, I hadn’t thought about it that way before. Good write up, very clearly written. Have you written previously about password strength? I’d love to read more.

  • I love it

  • A password of equivalent strength to the one I use for my gmail account clocked in a dandy “Forceable in 420805123888006 years, 6 months” :) That password is 16 characters.

    I think this is an excellent concept!

  • 30 May 2009 | loosik says:

    Forceable in Infinity years ^^

  • 09 Jun 2009 | Alex says:

    2.0026970703623098e+38 years :P That’s long enough I guess.

  • When I need a secure password I normally run this command in terminal:

    python -c ‘print open(“/dev/urandom”).read(16).encode(“base64″)’

    That will normally generate something similar to +q6pAnct0MvFqvZDKbv1Ww==

    Which according to this is “Forceable in 2.5650973270106056e+30 years”.

    Heh.

    • 18 Aug 2009 | Aaron Tate says:

      apt-get install pwgen
      pwgen -s 24 1

      -s (secure) 24 (len) 1 (qty)

    • 21 Nov 2009 | dgl says:

      Nice idea! Here is my version in pure sh-scripting:
      head -c 16 /dev/urandom | openssl base64 | pbcopy
      It will generate a secure password the same as your Python code line and then copy it into clipboard

  • 15 Jul 2009 | Fabio Milheiro says:

    The result is a string. Is there the possibility to show weak, strong and very strong as an evaluation of that password instead?

    Thank you

  • 10 Aug 2009 | Bela says:

    I entered 22 letter “a” and got Forceable in 5867804949393 years, 11 months :)

  • 19 Aug 2009 | Haze says:

    3.4412999530189554e+21 years… phew….

  • 20 Aug 2009 | Gleb says:

    Password like 111111111111111111111 is Forceable in 11324 years, 11 months
    But this one: 8Klm+1 is forceable in 4 minutes, 3 seconds

    I think second password is much stronger than first.

  • aaaaaaaaaaaaaaaaaaaaaaaaaa
    Forceable in 69717596898410406000 years
    Useless but… looks good, this is what the user need.

  • 20 Aug 2009 | Cory says:

    Real nice Idea!

    but why does the password “Password” takes 5 hours, 13 minutes? lol thats the number 1 password. “letmein” takes 2 seconds

  • 20 Aug 2009 | Bulls says:

    Complete Bull Shit !!!!

  • 20 Aug 2009 | Matt says:

    Yeah you could also use something like this in PHP to secure your password

    And that will generate something like this :

    2758dc4fe4844a6b2d34bb8fefde13ba

    or $string = md5(md5(‘string’));

    which will echo something like this

    2da16a0152d1abebe2cda9e14f3334eb

    Cheers, Matt.

  • 21 Aug 2009 | Lg102 says:

    It isnt correct.. The hacker can’t know if im usin’ a password with or without capitals. “password” should take just as long as “Password”. But it doesn’t. That’s one serious mistake you made.

  • I think you must take entropy into account here. I see the wikipedia has an overview on how you could easily make your calculator a little more precise with a few regexes.

    http://en.wikipedia.org/wiki/Password_strength

    The important part is:
    Symbol set N Entropy/symbol
    Digits only (0-9) (e.g. PIN) 10 3.32 bits
    Single case letters (a-z) 26 4.7 bits
    Single case letters and digits (a-z, 0-9) 36 5.17 bits
    Mixed case letters and digits (a-z, A-Z, 0-9) 62 5.95 bits
    All standard ASCII keyboard characters 94 6.55 bits

    The example, is that a 8 character password with single case letters and digits has an entrophy of 41 (8*5.17) – which means that this password will match a 13 character version with only numbers.

    I would also argue that if the password is a word, or resembles an english word – you should probably just put 1 minute as a timer – since dictionary attacks are very usual. You could go though the encyclopedia of words pretty fast – and all over again with capital, first letter capital or last letter capital.

    However it’s a cool feature to add to the password box!

  • I believe you already fixed this! :)

  • 25 Aug 2009 | Rune SMistad says:

    I do not think this test takes into acount checking of passwords against a dictionary. If write a word like “morphology”, it says it would take something like 13 hour to brake. But it is a very unsecure password, since a dictionary check would probably take ony a second…

    So I preach: long, but not from the dictionary!

  • 26 Aug 2009 | Wow says:

    1.906312139680692e+221 years

  • [...] In: JQuery plugins 28 Aug 2009 Go to Source [...]

  • 31 Aug 2009 | thanr says:

    “!@#$%^&*()1234567890″
    Forceable in 3303856452894727 years

  • [...] Password Strength is a jQuery plug-in that tries to calculate how many possibilities the hacker needs to try to guess your password. [...]

  • [...] See more at http://www.unwrongest.com/projects/password-strength/Most Commented PostsAjax File upload – Jquery Plugin (18)How to edit /etc/fstab when at Fedora [...]

  • 11 Sep 2009 | Max says:

    N96Q3c287DxGygsZ55c8pz8R2IL4F2ym8367eLe839187NrE6y9nAqn187wR9588jGlZg93VC241S465n24V1LMQR821J3Uw46f3u1vrGtV52d6xKVuPdL593gCm2t882L4sg7778ivzm98o4F249RYm2DE55573185851iFLz8lv6WwmZ352Y224ABnq711v3Paf56421Zlq74814t5Z6NH8xx1877NN3555k4V183Y6X68zt2631737382VjO7d5279434mluBNG5139oT1un177jr721Jw72b26123YwDes3Rq2118Uyuh1l685ye86Wr849hI8UC4r54H3L2QH61c2p3H274292z368zl18kJ584K3973827q5j253u1h5983BC19vp8JIZn1O8OqDpJ1pj66EHP55F254CWg46kMcLND4O1eJ2kk17SrTD99r84X7rX3PtcPMQoP2Si2

    Would take infinity years to bruteforce.

    My mIRC $rand script just kicked the hell out of Blowfish/AES and it looks like I just mashed the keyboard.

  • 05 Oct 2009 | Saw says:

    well, i tested using 20 characters of ‘q’, and it said

    Forceable in 225684805745 years, 11 months

    :)

    • 17 Nov 2009 | Mars says:

      Which is possible, as brute force evolves by testing all possible combinations by length, so before it reaches the length of 20 to test for the combination of all “q”s it would have to brute force all other combinations until 19 of length (26^29/2800000000 seconds) :)

  • 14 Oct 2009 | Alex says:

    I like it! Thank you!

    My problem is, that I can not get it to work with your showpassword-plugin:
    If I set the “show password” checkbox and enter sth into the textfield the value of pwdstr does not change.
    I tried FF (Win+Linux), IE 7

  • 23 Oct 2009 | John says:

    This doesn’t work.

  • 26 Oct 2009 | Vincent says:

    Forceable in 2.2966252668388745e+107 years
    that’s my password!

  • 06 Nov 2009 | Bjørn Langfors says:

    This concept is broken.

    Since you base everything on “how long does it take to bruteforce this if I can do 2.8 billion attempts/sec”, one can assume that this scenario involves an offline attack on a unsalted hash (why would you use a unsalted hash anyway?).

    If you got the hash you’d do a dictionary attack first, which this (and every other client-side-only implementations) doesn’t take into account. That means “disestablishment” doesn’t take almost 500000 years to crack, it takes <1 second.

    Programs like l0phtcrack will also try reversed dictionary workds, “l33t”-speak variants, appending/prepending digits to words etc etc rendering a password deemed strong by any naive javascript password checker broken in minutes if not seconds.

    A better way to implement something like this would be a serverside checker that utilises something like cracklib with a decent dictionary, and a clientside script that posts the password via ajax.

  • 13 Nov 2009 | Daniel says:

    Any way to get it to work with the show password plug in as well. Played around with it and can get both to work.

  • 18 Nov 2009 | Stjepan karin says:

    I don’t think the algorithm reflects the reality. If I keep pressing ‘a’ as long as the input field allows, I finally get “Forceable in Infinity years”.

  • 24 Nov 2009 | Jorge Jeferson says:

    Forceable in 1 year, 5 months

    hahahah antes disso eu ja tinha alterado a minha senha (altero todo ano) hahahahaah

  • very nice, thanks.

  • 27 Nov 2009 | Jonh says:

    a lot of b make the job.

  • 01 Dec 2009 | Igor says:

    Nice job!

    I’ve done something similar at http://passwordadvisor.com although the code is not public yet. It will also check for English words, repeated chars (aaa, 000), sequences (123, abc) and other stuff to estimate the cracking time.

    There’s also some password tips at the website which some users might find quite useful.

    Cheers!

  • 07 Dec 2009 | azazul says:

    doesnt work in opera .. so .. emm .. it DOESN’T work .

  • 17 Dec 2009 | firedragon says:

    Good job! ^_^

  • tanx

  • tanx for exp

  • 18 Mar 2010 | KF says:

    can you integrate password lock in this calculator?
    for example we have a policy that sets password lock for 15 min every 3 unsuccessful attempts.

  • 26 Mar 2010 | Secure Enough says:

    How long for some goverment agency to crack your password?

    Easy to feel secure when testing against a lone puny machine without a dictionary.

  • 29 Mar 2010 | Jeph says:

    Nice: “Forceable in 5.0034215192510823e+30 years”

    Tip: the type of chars is important (using alphanum + special chars + space).

  • 07 Apr 2010 | asaens says:

    Some of these attempts at security seem like overkill … the universe is only about 13,500,000,000 years old and earth and it’s sun are only about 5,000,000,000 years old. A couple of capital letters, a couple of lower case letters, a couple of numbers, 1 or 2 special characters, and a couple of random alphanumeric characters thrown in for good measure, all randomly intermixed, should produce good 8 to 12 length passwords that are good for 99% of the passwords needed.

  • 25 Apr 2010 | SnipersFan says:

    7.904771572642878e+43 years

  • I guess the are checking total no of given character and then searching for the combination. But i think 1st difficult thing for hacker is to find the password length then the combination..
    so its showing Password like 111111111111111111111 is Forceable in 11324 years, 11 months
    But this one: 8Klm+1 is forceable in 4 minutes, 3 seconds

  • 28 May 2010 | playa hata says:

    This is a little sketchy…
    “yourmomsucksballs” is:
    Forceable in 12840510 years, 1 month
    “yourmomsucksballs123″ is:
    Forceable in 151385882561015 years, 8 months

  • It’s very good.
    I like this.
    Thanks for share.
    And I wrote something to introduce this project for my readers.
    You can find the post about this in my website.
    If something is wrong,pls figure it out.thanks.

  • 09 Jun 2010 | Defuse says:

    Forceable in Infinity years :)

  • 27 Jun 2010 | KelvinLoh says:

    Forceable in Infinity years~ hahahahahaha

  • 24 Jul 2010 | Mandeep Singh says:

    My password is forceable in:

    So try your best………..

    3.4412999530189554e+21 years

  • 30 Jul 2010 | oitlo says:

    just checked my random password x?CQAcJe$m4!YXsE!$R=vSwSb8_WE%

    Password Forceable in 1.769583131372137e+42 years

  • 09 Aug 2010 | Naveen says:

    Wow, but who need this?

  • 11 Aug 2010 | yasamphani says:

    awesome…!!!

  • mine showed
    Forceable in 1.0698003678959862e+38 years

  • 22 Aug 2010 | Aaron says:

    It says my password is ‘Forceable in Infinity years’

  • 22 Aug 2010 | Chimæra says:

    Haha. This good enough?

    9.531242202044135e+61 years

Make a comment