How is password strength calculated?

The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012.

The library is available for free on Github: https://github.com/dropbox/zxcvbn

An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

But the short version is that it analyzes patterns in the password instead of being a simple “does it have caps” and “does it have a symbol” method.

For example, a password of “Passw0rd123!” is not a good password by modern standards. It uses a dictionary word, it uses common leet-speak replacements, it starts with a capital letter, it ends in a symbol, and it includes a whole number which is a common pattern of sequential digits. It’s a human pattern, and modern password cracking systems are geared to specifically crack exactly that kind of password.

The zxcvbn library (“zxcvbn” is an example of a bad password) includes a list of common passwords, a common English dictionary, and many methods designed to recognize these patterns, as well as other patterns such as common keyboard patterns (Examples: “wasd” = connected letters, often used by gamers, while “951357” is the the shape of an X on a numeric keypad). These sorts of things are then all ranked and a score is formed.

Modern passwords have to be basically complete gibberish, or long phrases, not simple patterns. Anything less is usually insecure to modern password cracker programs.

Try what you think a “good” password is in the Javascript demo. It might prove enlightening:

https://lowe.github.io/tryzxcvbn/

Related Posts:

  1. Where to securely store API keys and passwords in WordPress?
  2. Why are passwords exportable as plain text in WordPress?
  3. Make password invalid once logged out of password-protected page
  4. Can’t reset WordPress password
  5. Is the “lost password” feature truly a vulnerability?
  6. Frontend Password change
  7. Is it possible to reduce the minimum character length for passwords?
  8. Is there any point setting the keys and salts in wp-config.php?
  9. When is wp_set_password() called or how to capture a password
  10. Moving away from MD5: Where to declare the custom global $wp_hasher?
  11. How to get WordPress to send Password Reset Link Email instead of New Password?
  12. Basic password protection without using users and roles
  13. How can I force a specific password?
  14. Can a WordPress administrator see other users’ passwords?
  15. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  16. Password-protect feed and make it usable in major aggregators
  17. Could a user account with a stolen password compromised entire WP site?
  18. How to set custom validation for WordPress Passwords?
  19. Is my WP site being hacked?
  20. How to get real password (before encrypt) when register a user?
  21. Directory to store secure file
  22. Can you alter the default wordpress strong password requirements?
  23. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  24. Why does the URL http://a/%%30%30 crash Google Chrome?
  25. How to view PHP on live site
  26. Can an attacker use inspect element harmfully?
  27. Hide the fact a site is using WordPress?
  28. Verifying that I have fully removed a WordPress hack?
  29. Can I Prevent Enumeration of Usernames?
  30. Should I escape wordpress functions like the_title, the_excerpt, the_content
  31. Should I remove install.php and install-helper.php?
  32. When to use esc_html and when to use sanitize_text_field?
  33. Are Nonces Useless?
  34. What is the difference between esc_html filter vs attribute_escape filter?
  35. Will there be security updates for 3.1 once 3.2 is released?
  36. How do I technically prove that WordPress is secure?
  37. multi page password protection
  38. WordPress it’s cleaning a custom query_var to avoid sql injections?
  39. How do WordPress Nonces Work?
  40. Prevent setup-config.php page from appearing when host blocks database
  41. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  42. Is there a security risk giving someone temporary access to my blog’s code?
  43. Is /wp-login.php?redirect_to[] exploitable?
  44. How to properly sanitize/secure a WP Query coming from the front end
  45. What should I do about hacked server?
  46. Website is being flooded [closed]
  47. password protected post policy
  48. Auth cookie value security risk?
  49. Where to store OAuth 2.0 client id and secret?
  50. Security – Shortcode injection attack
  51. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  52. How to combat flooding admin-ajax.php?
  53. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  54. Would it be dangerous to send all the wp_options to javascript file?
  55. Changing Table Prefixes – once done, am I good to go going forward?
  56. Should I disable directory listing for wp-includes?
  57. Force user to change their password on the frontend at the first login and password policy
  58. Safety side of storing emoji into database
  59. How can I safely hide the fact that my website runs on WordPress? [closed]
  60. How can I display nickname instead username in links
  61. My WordPress Websites are always under attack
  62. Is there value in using a wp_nonce for POST requests?
  63. Can I Remove xmlrpc.php completely?
  64. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  65. Secure WordPress: Change admin
  66. Changing the default header name
  67. Is it safe to use a global wp nonce per user instead of a nonce per action?
  68. Wordfence detects change in wp-admin/includes/upgrade.php
  69. Password minimum length in personal subscription [closed]
  70. Will there be security updates for WordPress 4.9.9
  71. Why my plugins are updating automatically?
  72. Any known bugs that could cause disappearance of the wp_users table?
  73. On new server, site got hacked, permissions a bit strange? Please help
  74. Privilege escalation bugs in 2.9?
  75. 404/500 error on content images if Referer header is from another domain [closed]
  76. Content-Security-Policy blocks WordPress check boxes from being activated
  77. Restrict Access without Creating Users
  78. Switching between security plugins is a risk?
  79. How to obfuscate wp-config.php or code
  80. wordpress admin security
  81. Are major WordPress updates mandatory for security?
  82. i moved wp-config.php outside of public html and this broke my website
  83. Is it safe to use the basic administration with reduced rights for private member space
  84. WordPress Database Re-installed (Hacked)
  85. Verifying that I have fully removed a WordPress hack?
  86. WordPress Security tools
  87. How can I stop other plugins from using my class’ sensitive methods?
  88. How to Password Protect whole site except for some subdirectories
  89. wordpress security (only one part of the site)
  90. What are WordPress Current Security Issues in 2017?
  91. Folder Permissions + Security Concerns
  92. Malware/Permission bug removal?
  93. how to find the way they hacked my WP site
  94. Run a security scan on WordPress site that has .htaccess password [closed]
  95. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  96. How to delete Password Protected posts cookies when a user logged out from the site
  97. How can I give someone server access to only duplicate and modify a site?
  98. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  99. How can I implement ansible with per-host passwords, securely?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment