Se artikeln för detaljerad information om introduction

Se artikeln för detaljerad information om password entropy

Password Strength - What Makes a Password Secure?

Q: What is Password Strength?

Se artikeln för detaljerad information om what is password strength?

Q: Common Password Attacks

Se artikeln för detaljerad information om common password attacks

Q: Password Requirements

Se artikeln för detaljerad information om password requirements

Introduction

Creating secure passwords is the first line of defense against unauthorized access. But what actually makes a password strong? This guide explains password security, entropy, common attacks, and best practices.

What is Password Strength?

Password strength measures how resistant a password is to being cracked through various attack methods. It’s determined by:

Length: Longer = stronger
Complexity: Variety of character types
Unpredictability: Not based on dictionary words or patterns
Uniqueness: Not reused across accounts

Common Password Attacks

1. Brute Force

Try every possible combination:

aaaa
aaab
aaac
...
zzzz

Time to crack 4 lowercase letters: Seconds Time to crack 12 mixed chars: Thousands of years

2. Dictionary Attack

Try common passwords from lists:

password
123456
qwerty
letmein

80% of passwords are from top 10,000 common passwords!

Using personal information:

Pet names
Birth dates
Family names
Favorite sports teams

4. Rainbow Tables

Pre-computed hash tables for common passwords. Defeated by:

Salt (unique per password)
Slow hash functions (bcrypt, Argon2)

Password Entropy

Entropy measures password randomness in bits:

Calculating Entropy

Entropy = log2(character_set_size ^ password_length)

Examples:

Password	Charset Size	Length	Entropy (bits)	Crack Time
`password`	26 (lowercase)	8	37.6	Instant
`P@ssw0rd`	94 (all ASCII)	8	52.3	Hours
`MyDog123!`	94	10	65.5	Years
`xK9#mP2$vL7@`	94	12	78.6	Millennia

Minimum Entropy Recommendations

Low security: 40-50 bits
Medium security: 50-60 bits
High security: 60-80 bits
Critical systems: 80+ bits

Password Requirements

Traditional Approach (NIST 2003)

❌ Outdated rules:

Minimum 8 characters
Must include uppercase, lowercase, number, special char
Must change every 90 days
Cannot reuse last 5 passwords

Problems:

Forces predictable patterns (Password1!, Password2!)
Users write down passwords
Frequent changes = weaker passwords over time

Modern Approach (NIST 2017)

✅ Current best practices:

Minimum length: 8-12 characters
- Longer is better (14+ recommended)
- No maximum length limits
No complexity requirements
- Allow spaces and special chars
- Encourage passphrases instead
No forced expiration
- Only change if compromised
- Change immediately after breach
Check against common passwords
- Block top 10,000 common passwords
- Check against known breach databases

Strong Password Strategies

1. Passphrases

Instead of: P@ssw0rd123!

Use: correct-horse-battery-staple

4 random words = ~44 bits entropy
Easy to remember
Hard to crack
Type-friendly

Generation:

Word list: 7,776 common words
4 words: log2(7776^4) = ~52 bits
Crack time: Years to centuries

2. Diceware Method

Roll dice 5 times
Look up word in Diceware list
Repeat 4-6 times
Join with separators

Example:

Roll: 1,2,3,4,5 → word: "abacus"
Roll: 6,1,2,3,4 → word: "zebra"
Roll: 4,5,6,1,2 → word: "syntax"
Roll: 2,3,4,5,6 → word: "turtle"

Password: abacus-zebra-syntax-turtle

3. Modified Passphrases

Add numbers/symbols to passphrases:

correct-horse-battery-staple → correct-horse-8-battery-staple!

Increases entropy without sacrificing memorability.

4. Random Generated

Use password generators:

16+ random characters
Mix of all character types
Store in password manager

Example: xK9#mP2$vL7@qR4!

Password Policy Best Practices

✅ Do This

1. Minimum length: 12-14 characters

if (password.length < 12) {
  throw new Error("Password must be at least 12 characters");
}

2. Check against common passwords

const commonPasswords = ['password', '123456', 'qwerty', ...];
if (commonPasswords.includes(password.toLowerCase())) {
  throw new Error('Password is too common');
}

3. Check against breach databases

// Use Have I Been Pwned API
const hash = sha1(password).substring(0, 5);
const response = await fetch(`https://api.pwnedpasswords.com/range/${hash}`);
// Check if full hash exists

4. Allow all characters

Spaces, unicode, emoji
No artificial restrictions

5. Provide strength meter

function calculateStrength(password) {
  let score = 0;

  // Length
  if (password.length >= 12) score += 2;
  else if (password.length >= 8) score += 1;

  // Character variety
  if (/[a-z]/.test(password)) score += 1;
  if (/[A-Z]/.test(password)) score += 1;
  if (/[0-9]/.test(password)) score += 1;
  if (/[^a-zA-Z0-9]/.test(password)) score += 1;

  // Patterns
  if (!/(.)\1{2,}/.test(password)) score += 1; // No repeated chars
  if (!/123|abc|qwe/i.test(password)) score += 1; // No sequences

  return score; // 0-7
}

❌ Don’t Do This

1. Require special characters (forces patterns) 2. Force password changes (unless compromised) 3. Restrict maximum length (encourage longer!) 4. Prevent password managers (they help security) 5. Display requirements upfront (helps attackers)

Password Strength Indicators

Weak Passwords

❌ password ❌ 12345678 ❌ qwerty123 ❌ admin123 ❌ welcome123

Characteristics:

Common dictionary words
Simple patterns
Personal information
Short length (< 8 chars)

Medium Passwords

⚠️ Password123 ⚠️ MyDog2024 ⚠️ Summer2024!

Characteristics:

Dictionary words with numbers
Predictable patterns
Personal info + numbers
8-12 characters

Strong Passwords

✅ correct-horse-battery-staple ✅ xK9#mP2$vL7@qR4! ✅ sunset-coffee-mountain-42! ✅ Tr0ub4dor&3

Characteristics:

Long (12+ characters)
Random or unpredictable
Mix of character types
No personal information

Common Password Mistakes

1. Password Reuse

Problem: Same password everywhere

Bank: MyDog123
Email: MyDog123
Social: MyDog123

Solution: Unique password per account

Bank: xK9#mP2$vL7@
Email: correct-horse-battery
Social: sunset-coffee-mountain

2. Predictable Patterns

Problem: Easy-to-guess variations

Password1!
Password2!
Password3!

Solution: Truly random or passphrases

3. Personal Information

Problem: Easy to discover

Fluffy2024 (pet name)
Stockholm2024 (city)
Birthday12! (birth date)

Solution: Avoid anything discoverable online

4. Simple Substitutions

Problem: Hackers know these patterns

P@ssw0rd (a→@, o→0)
L0v3MyD0g (o→0, e→3)

Solution: Random or passphrases

Password Managers

Why Use Password Managers?

✅ Generate strong random passwords ✅ Store passwords encrypted ✅ Auto-fill forms ✅ Sync across devices ✅ Check for breaches

Popular Options

Bitwarden: Open source, free tier
1Password: Great UX, paid
LastPass: Popular, freemium
KeePass: Local-only, open source

Using Password Managers

Master Password:

Use strongest passphrase
Never reuse
Remember it (can’t reset!)
Enable 2FA

Generated Passwords:

20+ characters
All character types
Unique per account

Implementation Examples

Password Validation

function validatePassword(password) {
  const errors = [];

  // Length
  if (password.length < 12) {
    errors.push("Password must be at least 12 characters");
  }

  // Common passwords
  const common = ["password", "123456", "qwerty"];
  if (common.includes(password.toLowerCase())) {
    errors.push("Password is too common");
  }

  // Patterns
  if (/(.)\1{3,}/.test(password)) {
    errors.push("Password contains too many repeated characters");
  }

  if (/12345|abcde|qwert/i.test(password)) {
    errors.push("Password contains common sequences");
  }

  // Personal info (basic check)
  // In production, check against user profile

  return {
    valid: errors.length === 0,
    errors,
  };
}

Password Strength Meter

function getStrength(password) {
  let score = 0;

  // Length bonus
  score += Math.min(password.length / 4, 4);

  // Character variety
  if (/[a-z]/.test(password)) score += 1;
  if (/[A-Z]/.test(password)) score += 1;
  if (/[0-9]/.test(password)) score += 1;
  if (/[^a-zA-Z0-9]/.test(password)) score += 1;

  // Penalties
  if (/(.)\1{2,}/.test(password)) score -= 1;
  if (/123|abc|qwe/i.test(password)) score -= 1;

  // Normalize to 0-100
  const normalized = Math.min(Math.max(score * 10, 0), 100);

  if (normalized < 40) return "weak";
  if (normalized < 70) return "medium";
  if (normalized < 90) return "strong";
  return "very-strong";
}

Testing Your Passwords

Use our tools:

Password Strength Checker - Test password security
Random String Generator - Generate secure passwords

Conclusion

Strong passwords are essential for security:

Key principles:

Length matters most: 12+ characters minimum
Randomness: Use generators or passphrases
Uniqueness: One password per account
Password managers: Essential for modern security

Avoid:

Dictionary words
Personal information
Predictable patterns
Password reuse

Next Steps

Test passwords with Password Strength Checker
Generate secure passwords with Random String Generator
Learn about Bcrypt Hashing

Introduction

What is Password Strength?

Common Password Attacks

1. Brute Force

2. Dictionary Attack

3. Social Engineering

4. Rainbow Tables

Password Entropy

Calculating Entropy

Minimum Entropy Recommendations

Password Requirements

Traditional Approach (NIST 2003)

Modern Approach (NIST 2017)

Strong Password Strategies

1. Passphrases

2. Diceware Method

3. Modified Passphrases

4. Random Generated

Password Policy Best Practices

✅ Do This

❌ Don’t Do This

Password Strength Indicators

Weak Passwords

Medium Passwords

Strong Passwords

Common Password Mistakes

1. Password Reuse

2. Predictable Patterns

3. Personal Information

4. Simple Substitutions

Password Managers

Why Use Password Managers?

Popular Options

Using Password Managers

Implementation Examples

Password Validation

Password Strength Meter

Testing Your Passwords

Conclusion

Next Steps