Long time, no see! Well, the password meter was humming along and I did not find the time to do anything with or for it. It did what it should, besides some minor flaws.
One of the problems was the rating of long passwords. The longer the password got, the less points it got. Reason was the redundancy which was applied all the time. Well, I fixed that… and wait, there is more…
Minimum length increased
The minimum length was increased to 6 characters. Five was too short. Therefore the entire score changed and your old password might now return different data.
Redundancy Change
Redundancy has only meaning when the password is equal or shorter the recommended length (right now 8 characters). The influence on longer passwords has been removed, therefore 11111kq!_()*/& is now about 42% and 11111kq!_()*/&1111111111111 is 47%. It was 92% and 59% before. This directly leads to the next improvement.
I also adjusted the redundancy factor slightly.
Significance
Some legacy systems and some nasty software offer to input quite long passwords, but use at the end only the first characters. So we changed the algorithm to reflect that. The new value is named significance. The recommended password length, right now 8 characters, is most significant.
This first part of the password is analyzed separately again and influences the score the most. See the following examples and note how the bad first part influences the rating. This is of course a somewhat artificial assumption but it put makes things more secure.
- 11111111 – 0%, obviously a garbage like password
- aA-.85fG! – 100%, pretty nice, isn’t it?
- aA-.85fG!11111111 – 100%, still nice of course
- 11111111aA-.85fG! – 23%, still a password with some meaning, but due to the usage of a first part that has a zero score, the overall rating does not come up that high
More colors
The complexity indicator has now a color code to make the change more obvious and I pay my tribute to the people who do not want to read 
Bottom line
I am looking forward to your comments and suggestions. Feel free to use the tool often and extensively. Do not forget to tell friends about it. Educate them about good password usage.
If you find any strange things, let me know. If you find the tool to strict, let me now. Please include your arguments.
“May the best password win!”
7 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
I think the password meter isn’t working, or otherwise doesn’t give a trustworthy result.
For the password NI3CE>leroy>Salam it gives a score of 100%, “Very Strong”.
For the password -3XDR45, fse/n.ur) N`OO*;:+Mat9v it gives a score of 77%, “Strong”.
How does that proceed?
Good catch. Basically the idea behind the new significance feature was a distinction between passwords with better data in the beginning of the password than later in it, aka the first 8 characters matter most. The reason is that some older systems only value the first x characters and ignore the rest.
If you try only the first 8 characters of your examples, you will get 59% for “-3XDR45,” and 100% for “NI3CE>le”. These numbers influence the password quality way higher than the rest of the characters.
What do you think? Does this answer your question?
Another peculiarity. The password ” QmJ/6LTxt:Yrg’-1111111111 ” has the same scores as ” QmJ/6LTxt:Yrg’-1WK.IJuoDb “. The only thing that changes in the stats is redundancy, which doesn’t affect the scores.
I think your password meter is optimized for 8 character strings. I’d like to see it manage long passwords better. For 8 character passwords it’s fine.
@mischachiaro: Well, I tried to make it as real as possible. Long passwords are unusal and a normal human will neither use or manage them.
Why are these long passwords important and why does it make it difference how much redundancy it has? The first part is already good enough to be hard to break.
If you are fit in JavaScript, you can take the code (it’s free) and improve it. I would really value your contribution. An option to determine the desired optimal length for instance would be a good feature.
Thanks.
I don’t know how to code. I encrypt all my drives with TrueCrypt. That’s why I was trying long passwords. Those people I know, who use full computer encryption (with TrueCrypt or otherwise, some Linux distros have it as a native option), use 20+ characters passwords as well. It’s standard behaviour for heavy encryption, since the password in that case is the weakest link.
Web services have exploitable vulnerabilities beyond the user’s reach. People normally aren’t afraid of having the data from their computers compromised, so they don’t use encryption. That’s why passwords of more than 8 to 12 characters offer little to no benefit in those cases, the system itself is less secure than the security a long password could offer.
@mischachiaro: I fully agree that you need longer password for strong encryption. I designed my web site to give normal user a help for protecting himself a little better. You are an expert already.
Continuing the Discussion