Ask the Expert

How to determine password strength for a website

I would like to assess the strength of our user passwords for those logging into a specific website. Is there a tool which can allow me to do this? The site I'd like to monitor currently does not have internal strength-measurement parameters for the users when they create passwords. It also exists outside our firewall. I would like to attempt an evaluation of the password strength until the site can assist in that process.

    Requires Free Membership to View

I did a bit of research and I couldn't find a company that really provided a tool that did site password strength testing. While network penetration tools will test if a website is vulnerable to known attacks, they don't check password strength. There are some free individual password strength testers on the Internet, but the infosec pro in me wonders if they are legitimate strength testers or malware sites waiting for unsuspecting users to enter their passwords. As in most cases concerning security, the best enforcement of strong password generation is policy. By requiring passwords to meet minimum requirements and socializing the policy's rules to the general user population, password strength compliance will rise.

I find the following requirements useful. Passwords should:

  • not be based on an English word,
  • contain at least 3 lower-case letters,
  • contain at least 3 upper-case letters,
  • contain at least 2 decimal digits,
  • be at least 8 characters in length, and
  • be sufficiently random, meaning they are not common knowledge, such as a birth date, and do not follow a sequence of characters..

Of course, there are people who say that no password is strong enough, and there is some truth to this. Password authentication services are a weak solution without good on-boarding/off-boarding procedures, password retry rules, password expiration, and an understanding of the risks around sensitive information. And no matter how complicated a password is, it will never measure up to the security of multifactor authentication, which typically supplements a password with a second form of authentication like a smart card (something you have) or a thumbprint reader (something you are).

For more information:
 

This was first published in October 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: