/* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1958-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

Your password(s) - how strong are they AND WHY...

The reason that many people use poor passwords is that they have no method of telling what is good or bad AND WHY! The latter is a critical factor in educating people about strong passwords - hence the logic below - feedback is very welcome because I have never seen this attempted anywhere - not even the WWW.

You will not be asked to enter your password! as that is obviously the last thing you or I would want. Instead you will be asked a series of questions about it from which you can simply calculate a numeric figure which approximates to its strength.

Please note that:

  1. This method is not intended to be scientifically or mathematically 'correct' because it takes my judgement of what a hacker is going to try before they give up and switch to someone else OR try stealing your password rather than crack it. Also, most advice that goes into the maths of password ignores the fact that to make them memorable, people have to link them to something in the real world and therefore dictionaries of all sorts are in abundant use by hackers as their path of least resistance.
  2. The method has had no formal rigour applied to it apart from that of peers and as such you make any judgements and take any and all risks based on your own knowledge, skill and common sense, not mine.
  3. The assessment of variety below appears very simple because it is - the wider variety of characters you use in a password the less likely it is to be 'simple' to crack. The COMPLEXITY is harder to assess because it tackles the fundamental weaknesses which are in many passwords - use of words, names. simple transpositions etc.. Please do not be 'put off' from trying because you may be surprised at how little complexity there is in your password and the prompts are intended to help you realise what does and importantly what DOES NOT improve the strength of your password.

How to assess the strength of a password:

Variety - the spice of life or more...?

Firstly what is the variety of the characters used, score the following starting with a count of 4 for variety:

  • Add 4 if there is a lower case character - i.e. a-z
  • Add 2 if there is a Numeric character - i.e. 0-9
  • Add 5 if there is an UPPER case character - i.e. A-Z BUT only add 3 if it is the first character of a word / name etc.
  • Add 7 if there is a punctuation character (!"£$%^&*()_+= etc.) - for more examples see the keyboardS that you use (may be more than 1!) - normally all the top row when Upper-Cased plus the areas to the immediate left of the Enter key and each end of the lowest line of letters. Note that I have referred to these as punctuation but I am including what are often called 'special' characters.

Now divide the count by 3 and round to the nearest whole number (up OR down)! You now have a rough measure of the variety (or entropy) of your password, high is very good but anything less than 3 is poor, 4 is OK as long as your password is sufficiently complex - see below. The maximum score is 7.

Complexity - how many pieces and how difficult is each to guess?

Now for the complexity of the characters in the password. Start at the top of the list below and when you match what is said with the description given you remove that part of the password and work with the rest FROM THE TOP AGAIN but not resetting the score to zero. First count the length of your password, that is your starting count for complexity - i.e. beckham99 would be 9:

Note that the items below are ONLY numbered for you to ask questions or provide feedback about them

*** return here until you have removed all the password as below...

    When there are no more characters left (you removed them after they match!) you can leave this list with the score for complexity. This list is trying to tell you what is good (high is GOOD) and bad about the different parts of your password and of course - how many of them there are - i.e. how many times do you come back to the top - MANY is GOOD, even if there are few high numbers.

  1. Add 1 if there is a single digit at the end of your password. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  2. If there is a set (2 or more) of consecutive digits in your password then apply the following logic:
    • Subtract! 2 if the digits are at the end of the password, then!:
    • Add 3 if the digits could be a house number, date and/OR YEAR (2, 4 or 6 digits) or are any number which could be associated with you - especially if that information is accessible on the web to anyone! Note that most 2 digit numbers will match this! It doesn't matter if that is not the reason that those digits are there - the hackers will try anything they find. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
    • Add 4 if there are 3 or 4 digits. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
    • Add 5 if there are more than 4 digits. A match occured so (a) remove the digits that matched and then (b) go to the top of this list again - see ***
  3. Add 4 for any set of characters that could be at all related to the resource that the password secures or what it does or what most users will be thinking about at the prompt, not just their user name but what they could be doing instead of keying in that password - yes - drinking beer, getting a tan, party-related phrases etc. are all included!

    Examples are BA at a British Airways site, cash at a banking site, eb (or even worse 'ebay'!) at an eBay site or sun at a holiday travel site. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***

  4. Add 5 for any name OR PHRASE - place, person, animal, quotations, lyrics - especially if famous, popular, very common, trendy etc.. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  5. Add 5 for any character repetition or similar sequence of characters that can be derived from the alphabet, keyboard (any direction) or other simple rule. Qwerty is the most obvious UK example, azerty in France. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  6. Add 6 for any word that is in the dictionary and in common use If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  7. Add 7 for any of the items if the word / character string has only trivial transpositions - 5s to Ss, bs to 6s or Bs to 8s as one example or taking the first letters of each word of a phrase, lyric etc. as another. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  8. If there is a sequence of at least 3 characters which are the first letters of a song lyric, person's name or other well known phrase then count twice the number of characters but with a maximum of 10 (5 words * 2). Ignore capitalisation and simple substitutions of digits for characters or words An example of this would be: iwtbars or Iwtbars or Iw2bars - I want to be a rock star. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  9. If there is a sequence of at least 3 characters which are the first letters of a phrase or sequence of words/names that (a) only you would remember and (b) is in some way unique in that other people would be unlikely to use the phrase; then count six times the number of characters then subtract 4 but with no maximum, e.g. 5 words * 6 (=30) scores 26 (30-4) or 4 words * 6 (=24) scores 20 (24-4).

    An example (but not a very good one because at least 40 other people know it! and it could be 'researched' on the web) would be a list of pupils in a class at school that stick in your memory because there was a roll-call every morning.

    A good example (before I published this page to the web!) would be my memory of a swimming class when 9-10 years old - xxpITW where xx is deliberately NOT the initials of a peer (pun!) and ITW represents In The Water. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***

  10. Add 8 for any name, place or word that is in the dictionary even if not in common use If a match occured then (a) remove the whole word(s)/characters that matched and then (b) go to the top of this list again - see ***
  11. Add the appropriate score PLUS 2 for any of the items above if there are moderate but single complexity transpositions - removing vowels, first vowel for instance, reversal of characters etc. If a match occured then (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***
  12. Add the appropriate score PLUS 4 for any of the items above if there are complex or multiple transpositions - i.e. 2 transpositions on 1 word or 2 different transpositions on different words.

    Don't forget with the above (and below) - REMOVE WHAT MATCHED (Word, name, character etc.) and go back to *** at the top of this list as soon as ANY match:

  13. Add 2 for any digit left that was at the end (or start) of the password
  14. Add 4 for any digit left that was at the end of a word
  15. Add 6 for any digit left
  16. Add 8 for any lower case character left
  17. Add 9 for any UPPER case character left
  18. Add 11 for any character left - by now you should be able to simply count them and multiply by 11 if you have got this far.

With all of the above line items - you must remember that when matched - you must (a) remove the word(s)/characters that matched and then (b) go to the top of this list again - see ***

There should now be nothing left of your password, so... Divide your score by 5 and round the result to the nearest whole number.

You now have a rough measure of the complexity of your password, very high is very good but 5 is poor and below 4 is dreadful unless the password is protecting nothing of any value whatsoever. There is no maximum score but a password at eBay such as 'eBay=shop09' from above would score 6 on this measure - counting length = 11 + (-2+3=) 1 for '09' + 4 for eBay + 4 for shop plus 11 for the '=', making 11 + 1 + 4 + 4 + 11 = 31 - divided by 5 is 6.

FYI 'Z4bvrlBA' at a British Airways site would score 7 - a length of 8 + 4 for 'BA', 6+2=8 for bovril with no vowels + 6 for '4' and 9 for 'Z' making a total of 35 before dividing by 5. Also FYI - 'beckham99' gives a score of 3 - a length of 9 + (-2+3=) 1 for '99' + 5, 'password1' also gives 3 (length 9 + 1 + 5 / 5 = 3)

You can now make a judgement about how strong a password is by putting the last number into a calculator and then multiply it by itself as many times as the score you have for variety.

Variety times complexity - that IS STRENGTH!

Taking the worst examples (but not lowest-possible scores!) - what I described as poor above was 5 for complexity which is multiplied by itself 3 times which is the 'poor' score for variety. 5 * 5 * 5 is 125.

Compare that even with the 'eBay=shop09' example and the strength is substantially higher - complexity is 6 and variety is 7 and 6**7 = 279936. The BA example above of 'Z4bvrlBA' has complexity 8 and variety of 5, 8**5 is 32768. The latter may not appear as good but the software that accepts your password MAY have restrictions on what characters it will accept other than a-z, A-Z and 0-9. If you want to experiment (at your own risk!) then I would start trying punctuation characters with the most common - space, comma and period. Dashes (-), Hashes (#) and Equals (=) are the next I would try. Avoid using any national characters - e.g. currency just in case you want to login when abroad and might be using a different keyboard!

Enter variety here (first score):

Enter complexity here (last score):

After keying in numbers click 'Calculate':
This is safe - it doesn't even send
the numbers you key in to the web!

You can use the calculator to the right to do the arithmetic but the important thing is that you saw where the figures came from! You can see the effect of using different characters and that long words, names etc. don't really add to strength.

In terms of bad and good strength scores:

  • 200 or less is very, very bad - 'beckham99' and 'password1' give scores of 125 (5**3).
  • Between 500 and 10,000 is simply from very bad to OK - 1,000 might be acceptable for "don't care" sites and 5,000 for sites where someone could 'have fun' with your account but there should be no risk taken - remember that even on a bulletin board you can be sued for libel for instance!
  • 10,000 or above is OK for resources where you have little or nothing to lose and presumably hackers have little to gain (The level 2 example of 'Z4bvrlBA' gives 16,807 - 7**5 but if 'BA' was replaced by my '2 bottles of champagne' example then 'Z4bvrl2boc' would be a serious 161,051 - 11**5 - i.e. no increase in variety but the '2boc' adds so much complexity because to the hacker it has no relationship to the site.
  • 50,000 would be reasonable where being compromised would cause little inconvenience and half an hour to remedy
  • Half a million (500,000) would be reasonable where being compromised would cause inconvenience and a few hours of effort to remedy. It may be difficult to get higher than this on some sites - typically because they don't allow punctuation characters. You may need to use 3 'unrelated' words rather than 2 to get his high or maybe add another unconnected upper or lower case character.
  • 10 million would be acceptable for small financial risks and significant inconvenience and time to remedy but see next section about keeping really important sites safe and secure!
  • Over 100 million (8 zeros) would probably be adequate for serious financial risk as long as you were not targetted but in that situation the password would be stolen by other means. ('9ezgreNcT,A' is over 1.8bn if you assume ezgre is random, if it originated from a phrase personal to you it would be over 600m).

What about REALLY important sites run by seriously competent and motivated people!

You MAY worry more about these sites because you typically have a lot more at risk. For example - on-line banking of ANY sort is an obvious target. The way in which you keep safe and secure on THESE sites is by keeping them apart from your general use of PCs etc. to an extreme extent! See Making money out of Spam for the economics of malware and why that is SO important.

Typically the 'quality sites' will for instance only give you three attempts at entering a password BUT if you USE a PASSWORD that you use on ANOTHER web SITE that isn't "quality" then you are CRAZY!. This is why banks often now offer a 'dongle' of some description that is not attached to your PC or the web at all and they force you to interact with their dongle to give you a temporary code which will only allow you to login at that time.

Nevertheless it is important to choose a (separate!) password for those sites or individually which at least gets you into medium complexity even if their web sites often inhibit aspects of variety in the interests of making the login experience as painless as possible.

One obvious example of banks forcing a lack of variety is that you will probably have a PIN as well as a password - the PIN will typically be 4 or 6 DIGITS (i.e. 0-9 only!) long which ON a WEB site would be pathetic if the password (or selected characters from it) were not also needed.

What about 'pure' mathematics and their approach to this problem?

It has to be stressed that mathematicians will not approve of the above method at all but the problem with presenting the topic in a 'pure' manner is that:

  1. Any 'simple' mathematical approach is totally flawed because the probability of using letters, words, names etc. dwarf any algorithm that simply looks at the character set (roughly equates to variety) and the number of characters used - on that basis 'Beckham1' would be as good a password as 'Z4bvrlMu'.
  2. When a classical rigorous approach is taken it loses any clarity whatsoever because authors with that understanding of the mathematics will expect their readers to have a deep understanding of that subject otherwise they would not be reading it. What I hope that readers will be able to at least understand the consequences of using words, names and phrases in common use etc. and the dramatic impact of variety.

Just try the calculator with variety increased by 1 or 2 - a BIG difference! a simple addition of a 'disconnected' capital letter and number can do it...

What can you learn from the above

The most simple NEGATIVE RULES are:

  1. If you have a poor password at any site that isn't a strictly serious, major corporate institution that is obviously committed and motivated to protect your privacy then you can assume hackers will have access to any account at which you use the same password within a year.
  2. If you have ANY password at a site that is run by "amateurs" and in particular if the software they use appears "home grown" then you can assume that someone already has access to that password so using it elsewhere is NOT a GOOD IDEA.
  3. Don't use names, words, places, dates, years etc. even if you change odd characters and put numbers at the end.
  4. If you don't (or can't!) use variety in your passwords then you need to increase complexity by a large amount to compensate

The most simple POSITIVE RULES are:

  1. You don't need to add much to existing passwords to improve them dramatically - an Uppercase letter and an intermixed digit for example
  2. Using the first characters of a phrase or sequence of words is very effective and easy way of making an obscure password that you can remember
  3. You d
  4. You d
  5. You d

This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 7th August 2007. Please use the Contact us page to suggest any additions or revisions.

Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
14Jan16: not 0 or 0 !

News and Information

Your access to this site:

We will attempt to give you perfect access to this site but this may be impaired by the fact that as far as we can tell you are either:
  • Accessing the Internet from behind a FireWall (Personal or Company) which is disabling cookies OR
  • You have made a technical change to your browser in that you have disabled cookies - perhaps only for this site.

If this was unintentional and you can enable temporary (session) cookies there is a brief description at the bottom of the page. If you don't understand a word of this gobble-D-guk or you don't want to!: leave everything as-is and report any problems via the `LinkTSNo_Cookie_pagenoc1'>Technical feedback facility.

For the technical user

We attempt to set 2 temporary cookies at each interaction you have with this site. The names and typical values are:

NaviSessID=12345 and NaviLastID=erTh1J68SnkK0

The fact they are temporary means that when you close down your browser they will simply disappear. For the paranoic - they are not even written to the cookie folder.

The purpose of these two cookies is to allow you to navigate our site across what is a "connectionless" Internet with security and privacy appropriate to the content and usage of the site.

This notice will disappear from the end of the site Web pages when you have interacted with the site 3-4 times - more than once just in case you miss it at the end of the Home Page.

The only downside that we cannot avoid is caused by us putting the same information in the "Location" or "Address" area towards the top of your browser. You will notice that even though you visit pages more than once that your browser will not recognise them as "visited" because this address changes with each interaction.

Changing browser settings
  • NetScape: Edit->Preferences & select the Advanced Tab (not one of the sub-options). You only need to set cookies that are sent back to their own site but we would recommend that you do not select the 'prompt' option as this will cause an irritating pop-up at each interaction.

  • MicroSoft IE: click on Tools->Internet Options & select Security Tab.

    You could select Local Internet, then Advanced and then add our site address. This assumes that you have got cookies enabled for that zone.

    Another option would be change the "Custom level" for the zone that we are currently in - the Setting to be changed is called "Allow per-session cookies (not stored)" - select Enable then OK)

News and Information