Overview#

As pointed out under Password Management, passwords and password-based Authentication Methods are an issue.

One of the issues with Password Strength is:

• seventy percent of Humans forget their password once a month
• Humans try on average 2.4 passwords before we have the right login
• Humans are a poor source for the entropy we need for security, because humans need patterns to remember things.

Generally, they are not secure and hard for users to work with and understand. As an example:

Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g.....................

or

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two!

In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

Best Practices Password#

Password Best Practices are some Best Practices for Password handling.

Password Meters#

Some sites that test your password strength and or provide more information on Password Strength:

• https://www.grc.com/haystack.htm
• http://www.geekwisdom.com/dyn/passwdmeter
• http://www.passwordmeter.com/
• http://howsecureismypassword.net/

Making Strong passwords#

Some forms of Making Strong passwords

• Use L33T
• Password Do’s and Don’ts

Do Strong Web Passwords Accomplish Anything?#

(2007 Article)[1]#

We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users.

Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

An Administrator’s Guide to Internet Password Research (2014)[2]#

This Microsoft Research paper which has some great information and data on passwords and password usage concluded is that creating strong passwords is wasted effort a lot of the time.

More Information#

There might be more information for this subject on one of the following:

• NIST.SP.800-63B
• Password Management
• Password Statistics
• What To Do About Passwords

---

• [#1] - Do strong web passwords accomplish anything? - based on information obtained 2013-04-10
• [#2] - An Administrator’s Guide to Internet Password Research - based on information obtained 2015-04-10