How is password strength calculated?

The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012.

The library is available for free on Github: https://github.com/dropbox/zxcvbn

An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

But the short version is that it analyzes patterns in the password instead of being a simple “does it have caps” and “does it have a symbol” method.

For example, a password of “Passw0rd123!” is not a good password by modern standards. It uses a dictionary word, it uses common leet-speak replacements, it starts with a capital letter, it ends in a symbol, and it includes a whole number which is a common pattern of sequential digits. It’s a human pattern, and modern password cracking systems are geared to specifically crack exactly that kind of password.

The zxcvbn library (“zxcvbn” is an example of a bad password) includes a list of common passwords, a common English dictionary, and many methods designed to recognize these patterns, as well as other patterns such as common keyboard patterns (Examples: “wasd” = connected letters, often used by gamers, while “951357” is the the shape of an X on a numeric keypad). These sorts of things are then all ranked and a score is formed.

Modern passwords have to be basically complete gibberish, or long phrases, not simple patterns. Anything less is usually insecure to modern password cracker programs.

Try what you think a “good” password is in the Javascript demo. It might prove enlightening:

https://lowe.github.io/tryzxcvbn/

Leave a Comment

deneme bonusu veren sitelerbahis casinomakrobetceltabetpinbahispolobetpolobet girişpinbahis girişmakrobet girişpulibet girişmobilbahis girişkolaybet giriş