Password checkers

Padlock with cartoon legs and thumbs up

Are password checkers safe, accurate, and useful?

Security guard with torch and tablet
Do your passwords pass scrutiny?

Many websites offer password checkers. You type in a password and the checker will tell you how long it would take to crack that password. Here are three reputable password checking sites:

https://www.passwordmonster.com/
https://password.kaspersky.com/
https://bitwarden.com/password-strength/

I created a really rubbishy password (the sort you shouldn’t ever use). It was “Baldy20?” (without the quotes).

The above three sites (in the above order) assessed the time it would take to crack that password by brute force as follows:

  • 25 days
  • “Your password could be cracked faster than you can say “Oops!””
  • 1 hour

Assuming that we can evaluate the second one less facetiously as “1 second”, then the longest estimate is 2,160,000 times as long as the shortest.

Let’s try a slightly better password – “Goma20?3za”. The results, in the same order, were:

  • 33 centuries
  • “This password can be cracked faster than the time it takes to get back from a short walk”
  • 12 days

Again, assuming that the Kaspersky evaluation actually means “15 minutes”, the longest estimate is 115,7111,200 times as long as the shortest.

Why do these password checkers disagree with each other so much?

The problem is that none of these password checkers give us any idea of their assumptions in making their calculations. Here’s an idea of the kind of variables that I think may be in play:

  • The power of the computer the hacker is using
  • Whether they check for things such as place names, years, days of the year, names
  • Whether they check against a database of previously revealed passwords
  • Presumably there are many different pieces of software (available on the dark web) for doing the hacking and they vary in their speed and abilitites
  • Whether the potential hacker has any idea of how many characters are in the password

Can we trust the integrity of password checkers?

Apart from the utterly ginormous disparity between the assessments, I also wondered whether we can trust these sites. So, I asked Gemini (the AI version of Google) how can I know that an online password strength checker is not stealing the password it is checking” and it replied:

Quote

– Check the website’s security certificate. When you visit a website, your browser will display a lock icon in the address bar. This indicates that the website is using a secure (HTTPS) connection. If the lock icon is not present, or if the website’s security certificate is expired or invalid, do not enter your password.
– Read the website’s privacy policy.The privacy policy should state whether the website collects or stores user passwords. If the website does collect or store passwords, it should explain how it will protect them. If the privacy policy is not clear or does not address password security, do not enter your password.
– Only use password strength checkers from reputable sources.There are many online password strength checkers available. Some of these checkers are more reputable than others. When choosing a password strength checker, it is important to do your research and choose one from a trusted source.

Unquote

There must be a better way

OMG! Why would you bother? If you’re not confident that your password is safe, I’ve got a much easier suggestion than consulting password checkers (whether or not you follow Gemini’s advice).

Just add another few random characters to the password.

In my opinion, you would be much better off just following current guidelines on creating passwords than bothering with strength checkers.

The main password strength guidelines:

  • A minimum length of 12 characters (but the more the merrier)
  • Use a mixture of lower and upper case letters, numbers, and other characters
  • Avoid personal information
  • Most importantly, NEVER re-use passwords (your own or anyone else’s)
Hands holding notebook with password above a laptop
If you are not sure, just make them longer

It is true that some websites still allow you to create passwords of only eight characters. However, it is now quite a trivial task for a computer to run through every possible combination of this length.

Twelve characters is very much more secure from a brute force attack.

And if you go for 20 characters, you’ve probably reached the point where the password is virtually impossible to crack by brute force with current technology.

I know I never stop going on about passwords. That’s because they still cause my computer support clients so many problems. Here’s a couple of my other contributions to the subject:

Variation on a theme of an email scam

Create your own simple Password Manager

PS: … and you can forget “leetspeak”. No-one is going to be slowed down by your replacing letters with numbers as in “D4v1d” for “David”. See this Wikipedia page if you are interested.

Image by freepik

Image by d3images on Freepik

Image by freepik