Input a password and learn about its strength, unpredictability and security against Dictionary and Bruteforce attacks.
- Strength calculation using casing, length and special symbols as metrics
- Unpredictability for human generated passwords measured using Shannon Entropy
- Password Entropy for randomly generated passwords
- Test against Dictionary attacks using a list of 10M common passwords
- Bruteforce time estimation (1 Billion guesses/sec)
Password Strength is calculated by adding 1 point to it for every metric, the metrics being:
- Contains at least 8 characters
- Contains lower case letters
- Contains upper case letters
- Contains numbers
- Contains special symbols
So the minimum strength seen is 1 and the maximum is 5. This could be seen more as a vast simplification of Password entropy than an actual metric of password strength.
Password Entropy measures the total uncertainty in the whole password, assuming a random choice from a known set. It is calculated with the following formula:
For example:
- Input: Hello
- Range = 52 -> all lower and upper case characters
- Length = 5
The following blog post from Proton was used as reference for the password safety standards of password entropy included in the code.
Shannon Entropy measures uncertainty per symbol based on actual character frequency, calculated using the following formula:
I will not be providing an example of the Shannon Entropy calculation since it would take too long to calculate the probabilities of all password characters and sum them up by hand. But this is a code snippet of how it is calculated:
double entropy(const char* input) {
std::string s(input);
std::unordered_map<char, int> freq;
for (char c : s)
freq[c]++;
double sEntropy = 0.0;
int len = s.size();
for (const auto& p : freq) {
double f = (double)p.second / len;
sEntropy -= f * (log2(f));
}
return sEntropy * len; // multiplying with length to get entropy in bits
}The above code snippet is a simplified example of the Shannon entropy calculation. In reality both entropies are calculated in the same function and returned as a std::pair.
The following document from RFC editor served as reference for the password safety standards of shannon entropy included in the code. Shannon entropy is not widely used in password security estimations and research is limited, so no true standard of security exists.
Entropy, in general, can not provide a standard of password security due to 1) Moore's Law (2/3 bits would have to be added every year to maintain password security standards, RFC4086) and 2) the varying resistance to cracking attacks between passwords of the same (Shannon) entropy value presented in this blog.
Disclaimer: Not all references provided are peer-reviewed or academically "valid". This is just a side project, not to be used as an actual tool for determining password security.
The BTE was made using the following equation:
int length = strlen(input); //length of password
long double totalGuesses = pow(range, length); // combinations
double guessesPerSec = 1e9; // assuming 1B guesses/sec
long double seconds = totalGuesses / guessesPerSec; //estimated time
(...)On Linux/MacOS(I think) (if you have CMake and a C++ compiler):
git clone https://github.com/geovern/PasswordSafetyAnalyser.git
cd PasswordSafetyAnalyser/
./build_projectTo Run:
cd build/
./pwrdSA- Docker for window and mac support, or dependency installation
- Do dictionary attack simulation with JtR or Hydra instead of my own implementation, using fork,exec,pipe
- Possible HaveIBeenPwd API implementation
- Suggest stronger passphrase alternatives if a password is weak(a -> @, E -> 3, maybe use $random bash cmd and fork/exec to get random additions to the code if no nums are used)