How do I measure the strength of a password?

Question

I was looking for an effective algorithm that can give me an accurate idea of how strong a password is.

I found that several different websites use several different

Answer 1

As Daren Schwenke pointed it out, you'd better work on the security yourself and not put this in the user hands.

But it's good to provide some hints to the user of how strong his password is, because the best way to get a password is still social engenering.

So you can hack a little client side script that checks the user password strenght as a courtesy indicator, in real time. It blocks nothing, but gives him a good warm feeling when it turns green :-)

Basically what you must check is commom sense : check if the password contains letters, numbers and non alphabetical caracters, in a reasonable quantity.

You can hack your own algo very easily : just make 10 / 10 mark :

• 0 is a zero lenght password;
• +2 for every 8 caracters in the password (15 is supposed to be a safe lenght);
• +1 for the use of a letter, +2 for the use of 2 letters;
• +1 for the use of a number, +2 for the use of 2 numbers;
• +1 for the use of a non alphabetical caracters, +2 for 2.

You don't need to check for godlike passwords (are there capitalized letters, where are positioned the special caracters, etc), your users are not in the bank / military / secret service / monthy python movies industry, are they ?

You can code that in an hour in without crazy javascript skills.

And anyway, valid the password and move all the security code on the server side. If you can delegate authentification (e.g : open ID), even better.