How Password Strength is Determined

Danny Santoro edited this page Dec 6, 2017 · 4 revisions

The password strength is determined by Dropbox's zxcvbn code, and isn't at all influenced by WordPress, WooCommerce, or this plugin. You can read a very in-depth explanation of how this works here, but a quick summary with examples can be found below.

What is zxcvbn and why did it come about?

zxcvbn is a open-source software package written in multiple languages to gauge password strength. While earlier password strength meters looked for certain things, such as length, special characters, requiring a number, and so forth, these measures didn't necessarily lead to stronger passwords. To show what I mean:

Example 1:

Sadly, password is one of the most commonly used passwords out there (src). Clearly, this is in NO WAY a secure password, so some people like to change it up with a few special characters - let's say they used P@S$w0rD instead. With two special characters, a number, and both capital and non-capital letters, you'd think that would be safer, right?

Not much. While password would take less than a second for any brute-force program to guess (it IS one of the most common choices, after all), at most it would take a slower brute-force program two hours to guess. Faster ones could get in under two seconds.

While the length does have more of an impact, the reason why these methods don't typically work is because your site isn't being attacked by humans, it's being attacked by computers. Computers can and do replace letters with their number or symbol replacement, look for common misspellings, take a word and tack on "1" or "123" at the end, everything like that in the blink of an eye. It hardly slows down someone who really wants to get in to your account.

Thus, zxcvbn was born. Approaching passwords with the mindset that brute-force computer programs do, it compares password strength not against human ability, but computer ability. This approach has led to much smarter and reliable password strength gauges, which is why it's the chosen meter for WordPress, the most popular Content Management System in the world (src).

Oh, and in case if you're wondering how it got the name - it's the first six letters left-to-right on a standard QWERTY keyboard. :)

How are passwords rated?

Without going into too much depth (you can read the article linked to in the first paragraph for that), a quick example explanation can be found in this popular comic created by xkcd:

Password Strength Comic by xkcd -

Basically, they're rated based on how many bits of entropy are created, and therefore how long it would take a computer to guess the password.

What are some example passwords for each level?

In the WC Password Strength Settings plugin, password strength is rated from 1 to 4. Some sample passwords for each level:

  • Level 1
    • zxcvbn
    • P@S$w0rD
    • abc123!
  • Level 2
    • qwER43@!
    • Tr0ub4dour&3
    • my password!
  • Level 3
    • mypassword123!
    • Star Wars
    • Weird, huh?
  • Level 4
    • correcthorsebatterystaple
    • alpha bravo charlie delta
    • woocommerce is the best

It should be noted there is also a "Level 0" meaning little to no protection at all. Example passwords in this category are:

  • Level 0
    • password
    • qwerty
    • 1234567890
    • monkey

Interesting how some of the harder ones to remember are the weakest, isn't it? It should be noted that I wouldn't recommend ANY of the passwords listed here, as they've been used as examples for passwords across the internet and have likely been added to brute force algorithms.

Surprisingly, 12345 is a really common password. Don't use that.

How do I make a strong password?

There are plenty of tricks on how to make a strong password, but let's kick off with an example. Below, we'll walk through how to turn a weak password into a strong one.

Password Generation 1:

Let's say you use you really like kittens. Who doesn't? They're furry, they're soft (except the teeth and claws), and they're generally low maintenance. However, they're terrible at keeping your account safe - you've been using the password kitten.

kitten ranks as a 0/4 for protection, meaning... None whatsoever. Let's bring that up to Level 1.

kittens ranks as a 1/4. The pluralizing trick won't always work, it just so happened to in this case because it created enough entropy to raise the difficulty by a magnitude. Now, instead of taking 3 hours for a slow online attack, it takes approximately two days. Let's keep going.

ilovekittens ranks as a 2/4. It's a bit longer which is better - the calculator estimates 43 years for a slow online attack. Still, this isn't considered a strong password, so let's go to Level 3.

ilovekittens! ranks as a 3/4. It can't really calculate how long a slow online attack would take (it's in the hundreds of years). At 10 guesses per second, it will take about 5 months. This is sort of the minimum level of security, and even then, we can do better with a really easy trick.

i love kittens! ranks at 4/4. at 10 guesses per second it would still take centuries, and even an offline attack of 10,000 guesses per second, it will take eight years for a computer to guess it.

Of course, if someone really knows you love kittens, this isn't the best password, but it emphasizes how a random brute-force attack can be stopped.

Turning weak passwords into strong ones still has a flaw - it starts off weak. Instead, as mentioned in the xkcd comic, we can use a trick to create a password that is easy for us to remember but hard for both people and computers to guess.

Password Generation 2:

What I like to do is either visualize something or look around the room and make a password based off of that. Think of an image you'll remember - maybe a favorite picture, or if you're a visual person just something around the house. Here's an example of generating a strong password this way:

In college, my roommate and I were walking back home from getting Chinese food. We saw that someone was throwing out a four foot tall R2-D2 soda cooler... And we couldn't let that little droid wind up in a trash compactor like his friends, so we nabbed it and placed it proudly on our covered patio where he joined in on plenty of parties.

I can remember the R2-D2 cooler sitting on the patio, so I'll just use that image:

r2 cooler patio is rated 4/4, taking 10 years at 10,000 guesses per second.

Another example?

On my desk, I have a jar of pens and markers. The closest one to me is a red Sharpie.

red pen in the jar is rated 4/4. At ten billion guesses per second, it will take a computer 11 months to guess this password.

Since there aren't any weird characters, numbers, etc. it's easy to remember and very secure. The only problem with this method is that some sites still require a special character, number, and capitalized letter, so we could use

R2 cooler patio! and R3d pen in the jar! just to satisfy their requirements.

What are some general password tips?

Although reading the above goes into more detail, here's some general advice:

  • Avoid common top passwords. You can search Google for these.
  • Avoid obvious patterns, like "abc" or "123", even if it's added at the end of a word.
  • Don't use the name of the site (or even an abbreviation) in your password. If your password is facebookSecure123!, then I can probably make a safe guess as to what your Google or Twitter password might be.
  • USE DIFFERENT PASSWORDS ON EACH SITE. At very least, use a variation of the password like blue pen in the jar.

The best tip, though? Invest in a Password Manager. I love 1Password - it's got programs for all of the major operating systems including your phone, and even has browser extensions that can auto-fill or auto-save passwords. Yes, some of these cost money, and yes, they are absolutely worth it.

How can I find my password strength?

There's a really great tool by Dropbox using this very zxcvbn calculator! It tells you how long it would take to guess, when it can it will tell you weak points, and it's also kind of fun.

zxcvbn Demo & Calculator

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.