Skip to content


A new version arrived – v1.1.0 is here

Long time, no see! Well, the password meter was humming along and I did not find the time to do anything with or for it. It did what it should, besides some minor flaws.

One of the problems was the rating of long passwords. The longer the password got, the less points it got. Reason was the redundancy which was applied all the time. Well, I fixed that… and wait, there is more…

Minimum length increased

The minimum length was increased to 6 characters. Five was too short. Therefore the entire score changed and your old password might now return different data.

Redundancy Change

Redundancy has only meaning when the password is equal or shorter the recommended length (right now 8 characters). The influence on longer passwords has been removed, therefore 11111kq!_()*/& is now about 42% and 11111kq!_()*/&1111111111111 is 47%. It was 92% and 59% before. This directly leads to the next improvement.

I also adjusted the redundancy factor slightly.

Significance

Some legacy systems and some nasty software offer to input quite long passwords, but use at the end only the first characters. So we changed the algorithm to reflect that. The new value is named significance. The recommended password length, right now 8 characters, is most significant.

This first part of the password is analyzed separately again and influences the score the most. See the following examples and note how the bad first part influences the rating. This is of course a somewhat artificial assumption but it put makes things more secure.

  • 11111111 – 0%, obviously a garbage like password
  • aA-.85fG! – 100%, pretty nice, isn’t it?
  • aA-.85fG!11111111 – 100%, still nice of course
  • 11111111aA-.85fG! – 23%, still a password with some meaning, but due to the usage of a first part that has a zero score, the overall rating does not come up that high

More colors

The complexity indicator has now a color code to make the change more obvious and I pay my tribute to the people who do not want to read ;)

Bottom line

I am looking forward to your comments and suggestions. Feel free to use the tool often and extensively. Do not forget to tell friends about it. Educate them about good password usage.

If you find any strange things, let me know. If you find the tool to strict, let me now. Please include your arguments.

“May the best password win!”

Posted in Updates. Tagged with , .

9 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. mischachiaro said

    I think the password meter isn’t working, or otherwise doesn’t give a trustworthy result.

    For the password NI3CE>leroy>Salam it gives a score of 100%, “Very Strong”.

    For the password -3XDR45, fse/n.ur) N`OO*;:+Mat9v it gives a score of 77%, “Strong”.

    How does that proceed?

  2. Rene said

    Good catch. Basically the idea behind the new significance feature was a distinction between passwords with better data in the beginning of the password than later in it, aka the first 8 characters matter most. The reason is that some older systems only value the first x characters and ignore the rest.

    If you try only the first 8 characters of your examples, you will get 59% for “-3XDR45,” and 100% for “NI3CE>le”. These numbers influence the password quality way higher than the rest of the characters.

    What do you think? Does this answer your question?

  3. mischachiaro said

    Another peculiarity. The password ” QmJ/6LTxt:Yrg’-1111111111 ” has the same scores as ” QmJ/6LTxt:Yrg’-1WK.IJuoDb “. The only thing that changes in the stats is redundancy, which doesn’t affect the scores.

    I think your password meter is optimized for 8 character strings. I’d like to see it manage long passwords better. For 8 character passwords it’s fine.

  4. Rene said

    @mischachiaro: Well, I tried to make it as real as possible. Long passwords are unusal and a normal human will neither use or manage them.

    Why are these long passwords important and why does it make it difference how much redundancy it has? The first part is already good enough to be hard to break.

    If you are fit in JavaScript, you can take the code (it’s free) and improve it. I would really value your contribution. An option to determine the desired optimal length for instance would be a good feature.

    Thanks.

  5. mischachiaro said

    I don’t know how to code. I encrypt all my drives with TrueCrypt. That’s why I was trying long passwords. Those people I know, who use full computer encryption (with TrueCrypt or otherwise, some Linux distros have it as a native option), use 20+ characters passwords as well. It’s standard behaviour for heavy encryption, since the password in that case is the weakest link.

    Web services have exploitable vulnerabilities beyond the user’s reach. People normally aren’t afraid of having the data from their computers compromised, so they don’t use encryption. That’s why passwords of more than 8 to 12 characters offer little to no benefit in those cases, the system itself is less secure than the security a long password could offer.

  6. Rene said

    @mischachiaro: I fully agree that you need longer password for strong encryption. I designed my web site to give normal user a help for protecting himself a little better. You are an expert already.

  7. Rene, thank you for yetanotherpasswordmeter. This is very helpful.

    I’m not sure if I understand the “significance” feature. I guess I feel that aA-.85fG!11111111 and 11111111aA-.85fG! are equally as strong.

    Anyway, I appreciate that you’ve included the option to turn the feature off with the “splitPassword” argument. However, the way that it is written, it is impossible to turn off.

    The following change will fix the issue:

    - if (!splitPassword)
    - {
    - splitPassword = true;
    - }
    -
    + if (typeof splitPassword === “undefined”)
    + {
    + splitPassword = true;
    + }

  8. Rene said

    @Amiel: Thanks for the input. The idea of the significance is, that there are still legacy systems that only care about the first 8 characters. So if the beginning of the password is too simple, it does not help to make it stronger later because the target system does not care.

    I will take a lock at your code soon and see if I can incorporate it.

    Thank again.

Continuing the Discussion

  1. Tweets that mention A new version arrived – v1.1.0 is here – Yet Another Password Meter -- Topsy.com linked to this post on 2010-05-17

    [...] This post was mentioned on Twitter by Rene S.. Rene S. said: Ich habe mein Password Meter Projekt mal bissl in Schwung gebracht – http://bit.ly/9lWi87 [...]

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.