Password complexity estimator

Try "Internet Privacy Test" too!

"Password complexity estimator" (or "password strength test" if you like) should help you in estimating how complex your password is and how long it might take for someone to break it. When giving the details about the time it takes to break your password, 4 different cases are considered:

  • Fast offline attack - an offline attack against the "fast" hash, such as SHA-1, SHA-256, MD5. This scenario presumes that someone got an access to your password, which has not been stored in plain text, but was "hashed", and an attacker tries to break your password offline. In this case being "fast" for the hashing function is not good - that means the amount of guesses an attacker can try per second is substantially greater than if a "slow" hashing function was used (we are talking about one billion to one trillion guesses per second). So even if the password was graded as "Good enough" or "Strong", it might still be broken fast enough in this case and you should consider something more complex.
  • Slow offline attack - an offline attack against the "slow" hash, such as bcrypt, scrypt, PBKDF2. This is similar to the scenario above, except that in this case we assume that a "slow" hashing function was used, so it will take longer (at around 10,000 guesses per second). Most services nowadays should be using "slow" hashing, but there are still some that use MD5 or SHA-256 for example.
  • Fast online attack. This scenario presumes an attack that goes against some online service that has your password and that service either does not limit the attempts to authenticate or that limit has been bypassed somehow by an attacker (fair number used here is 10 guesses per second).
  • Slow online attack. As in the scenario above, this is about an online service. However, in this case we look at a service that does limit the amount of guesses you can try (to about 100 per hour).

Please note that the whole process of estimating the complexity of the password happens on your device - nothing is transmitted to the server. So once the page is loaded, you can safely disconnect for example and keep on playing with whatever words you like. Even on your mobile, to pass the time while travelling :)

You can use "Show/hide more details" link to see how your password or some parts of it were verified. For example, whether something was found in a dictionary and how high on the list. The data comes from a library developed at Dropbox. Please note that details will display your password, regardless of whether you have "Show what I'm typing" checked or not.

Once you tried this, don't forget to also try the "Internet Privacy Test" and read about "Privacy in Social Networks"!

© Do-Know.com