What is a password strength checker? Is it accurate?

Anton P. | October 06, 2022

A password strength checker reveals how resistant passwords are against attempts to crack them. However, do not trust such password tests blindly. Strength meters might not look up passwords in data breaches or fail to consider certain brute-forced hacks.

Thus, let’s see how to make the most out of a password strength checker and create resistant combinations.

What is a password strength checker? Is it accurate?

What is a password strength checker?

A password strength checker evaluates the security of passwords. It can also predict the amount of time necessary to crack it.

However, remember that password checkers do not try to break through such passwords. Instead, they compare entered combinations to known attributes of secure passwords.

Thus, these are the characteristics and rules a password strength checker uses to determine password security:

  • Length. The number of characters in a password is likely the primary indicator of its strength.
  • Types of characters used. A password strength checker looks for lower and uppercase letters, numbers, and symbols.
  • Known passwords. Combinations like 123456789 or password123 will immediately get flagged as unsafe.
  • Known techniques. A password strength check could detect common tricks like replacing letters with lookalike numbers (as in replacing E with 3).

Can a password strength checker recognize leaked passwords?

One of the biggest weaknesses of a password strength checker is that it might not consider previously compromised credentials. Millions of login details get dumped in hacker forums or are available for sale on the dark web.

Such breached passwords could follow all known rules for secure passwords. However, these leaked databases are commonly used for brute-force attacks.

We ran a test with a $aT\c+b( password, exposed in the RockYou2021 database of breached credentials. We used some of the most popular web-based password strength checkers. Here are the results:

  • Not every password strength checker recognized $aT\c+b( as a leaked password.
  • The password checkers suggested that it might take 50 years, three days, 20 hours, or 20 hours to crack it.
  • Thus, the results are inconsistent. And, say, if you use only the checker calculating 50 years, you might believe that the password is secure.

How useful is a password strength checker during sign-up?

Some services offer password tests during users’ registration processes. It might seem helpful as you do not have to look for an external password strength checker. However, such assessments are far from accurate and mostly rely on password length.

In other cases, services might only accept passwords that contain at least one capital letter or number. Unfortunately, users can still manage to create incredibly weak passwords.

So, take results from such password strength checkers with a generous grain of salt.

Performing password strength check on passwords

Remember that hackers have access to numerous resources when it comes to guessing passwords:

  • Books and dictionaries.
  • Scripts and lines from popular movies or series.
  • Social media accounts.
  • Databases of leaked passwords.

Knowing this, a determined hacker can attempt to break into accounts using targets’ personal information from social media. In other cases, lists of passwords that hackers cross-check can include quotes from well-known films.

So, knowing the abundance of information available online, we tested three passwords.

  1. 13$534!5gfd&46NJJfb is an example of a password that is the most secure. It has no actual words and multiple numbers and symbols.
  2. idonotwanthackerstoguessmypassword is an example of a password without any numbers or special symbols. Additionally, it includes many words that hackers could retrieve from dictionaries.
  3. lifewaslikeaboxofchocolatesyouneverknowwhatyouregonnaget is a reference from a popular movie, and it contains nothing but words.

Let’s see how password strength checkers assess these combinations.

  1. Tests indicated 13$534!5gfd&46NJJfb to be highly secure and suggested that it takes centuries to crack it.
  2. Despite containing nothing but words, checkers suggested idonotwanthackerstoguessmypassword to be secure as well.
  3. Even though lifewaslikeaboxofchocolatesyouneverknowwhatyouregonnaget is a well-known quote, checkers found no issue with it.

So, each password strength checker concluded all three passwords to be suitable for use. However, idonotwanthackerstoguessmypassword is vulnerable to dictionary attacks. The lifewaslikeaboxofchocolatesyouneverknowwhatyouregonnaget password is also vulnerable as automated attacks could potentially guess it.

What could be the best password strength checker?

The web password strength checkers we tested showed inconsistent results. However, some of them performed better than others.

So, they could guide you in the right direction by reminding you of what characteristics strong passwords have.

If you wish to test the strength of your password, try multiple checkers to get a clearer picture. Despite the results, do not solely rely on password strength checkers.

Recommendations for high password strength

The formula for strong passwords is simple: they should be awfully inconvenient to remember. Thus, it should not contain names of pets, birth dates, favorite snacks, or clusters of random words.

Remember to combine uppercase and lowercase letters + special symbols + numbers. The final combination should look something like djsfh65$7fmbs##dD184F. It is inconvenient to remember but highly secure for any account.

  1. Unique passwords for each account. Set different combinations for each created account.
  2. Avoid setting a common password. You can find databases and lists containing frequently used combinations.
  3. Use a password manager. A password manager lets you store all combinations in one secure location. All you will need to remember is the master password.
  4. Avoid well-known password techniques. Hackers know about tricks like replacing letters with numbers.
  5. Do not use words or popular phrases. Quotes from movies or songs are unfit password ideas. Hackers could use such references for their attacks.
  6. Set two-factor authentication. 2FA protects accounts even if your password fails. Without the special temporary tokens, even successful brute force attacks won’t compromise accounts.
  7. Stay aware of data breaches. Even the strongest passwords can leak. More disturbingly, passwords typically leak with other login details, like usernames and email addresses. Thus, keep tabs on how secure your accounts are. For instance, Atlas VPN has an incredibly user-friendly solution to this problem. Our Data Breach Monitor can monitor multiple email addresses and report if they get breached. Thus, you can change your passwords to resolve these risks quickly.
Get all benefits VPN can provide

Get all benefits VPN can provide

Experience the internet without limits — no geo-blocks, censorship, or tracking. Atlas VPN is your daily companion for a more open & secure internet!
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

2fadictionary attackbrute-force attacks

© 2023 Atlas VPN. All rights reserved.