Password checkers

Meter indicating password strength

Are password checkers safe, accurate, and useful?

Many websites offer password checkers. You type in a password and the checker will tell you how long it would take to crack that password. Here are three reputable password checking sites:

Kaspersky Password Checker character

I created a really rubbishy password (the sort you shouldn’t ever use). It was “Baldy20?” (without the quotes).

The above three sites (in the above order) assessed the time it would take to crack that password by brute force as follows:

  • 25 days
  • “Your password could be cracked faster than you can say “Oops!””
  • 1 hour

Assuming that we can evaluate the second one less facetiously as “1 second”, then the longest estimate is 2,160,000 times as long as the shortest.

Let’s try a slightly better password – “Goma20?3za”. The results, in the same order, were:

  • 33 centuries
  • “This password can be cracked faster than the time it takes to get back from a short walk”
  • 12 days

Again, assuming that the Kaspersky evaluation actually means “15 minutes”, the longest estimate is 115,7111,200 times as long as the shortest.

Why do these password checkers disagree with each other so much?

The problem is that none of these password checkers give us any idea of their assumptions in making their calculations. Here’s an idea of the kind of variables that I think may be in play:

  • The power of the computer the hacker is using
  • Whether they check for things such as place names, years, days of the year, names
  • Whether they check against a database of previously revealed passwords
  • Presumably there are many different pieces of software (available on the dark web) for doing the hacking and they vary in their speed and abilitites

Can we trust the integrity of password checkers?

Apart from the utterly ginormous disparity between the assessments, I also wondered whether we can trust these sites. So, I asked Bard (the AI version of Google) “how can I know that an online password strength checker is not stealing the password it is checking” and it replied:

– Check the website’s security certificate. When you visit a website, your browser will display a lock icon in the address bar. This indicates that the website is using a secure (HTTPS) connection. If the lock icon is not present, or if the website’s security certificate is expired or invalid, do not enter your password.
– Read the website’s privacy policy.The privacy policy should state whether the website collects or stores user passwords. If the website does collect or store passwords, it should explain how it will protect them. If the privacy policy is not clear or does not address password security, do not enter your password.
– Only use password strength checkers from reputable sources.There are many online password strength checkers available. Some of these checkers are more reputable than others. When choosing a password strength checker, it is important to do your research and choose one from a trusted source.
logo of shield from Password Monster

There must be a better way

OMG! Why would you bother? If you’re not confident that your password is safe, I’ve got a much easier suggestion than consulting password checkers (whether or not you follow Bard’s advice). Just add another few random characters to the password.

In my opinion, you would be much better off just following current guidelines on creating passwords than bothering with strength checkers.

The main password strength guidelines:

  • A minimum length of 12 characters (but the more the merrier)
  • Use a mixture of lower and upper case letters, numbers, and other characters
  • Avoid words, names, etc, that can be found in dictionaries or similar sources
  • Avoid personal information
  • Most importantly, NEVER re-use passwords (your own or anyone else’s)

I know I never stop going on about passwords. That’s because they still cause my computer support clients so many problems. Here’s a few of my previous contributions to the subject:

Using passwords for multiple accounts
Passwords – another reason not to re-use them
Brute force attacks