Skip to main content

Posts

Showing posts from November, 2011

How to calculate Password Strength...

When I visit websites that want me to create an account before doing something, I typically enter in bogus information and occasionally I see a "password meter" that determines that I've entered a "weak" password.  At least it is considered "weak" by some systems and "average/strong" in others.  Being the curious sort of person, I've been trying to come up with a good, consistent strategy for calculating password strength and then something useful to do with it.  I assume most developers only want to write password strength code one time, do something useful with it, and then move onto the next task.

What constitutes a strong password?  An excellent question and something the industry seems to have difficulties figuring out at the moment.  NIST, the National Institute of Standards and Technology, has a few words to say on the topic.  Basically, password strength boils down to the number of bits of entropy that a password has.

So the next…