Skip to content


Got a new fan

Found a new link to YetanotherPasswordMeter on a French site. According to the poor man’s Google translation, he finds YAPM useful and accurate. Only the quality of the comments could be better. Seems that most people do not notice the hover-over comments over all categories. Will see what I can do about that.

Posted in Links.

7 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Hi Rene,

    It’s really well made your Password Meter, but it’s true that is not easy to notice the hover-over functionality.

    You could add a red question mark at the end of the description…

  2. Rene said

    @Antenore: You are right. I have a few things in the pipe to improve the YAPW, so I will add this. Thanks.

  3. robert said

    I would say you’re severely underestimating the effect of password length.

    Some examples:
    Az12
    5%, max 24bits, only a few million passwords even possible.
    Az12Az12
    24%, this is the previous one doubled, but it’s score is only a little under the next.
    Az123456
    32%
    Fred1357
    59%, well, okay, but it’s a very keyboard layout password; “FRED” is worse than qwerty.
    a!1bS$5c
    100%, maximum of 52 bits
    staplehorsebatterycorrectpool
    4%, !!!, You’re saying this is worse than a 4 character password! The minimum I can reasonably assign to this is 55bits and I would guess around 70 bits in reality.

  4. Rene said

    @robert: Thanks for your comment. Really appreciate it.

    The framework does not check for all possible stupid passwords. It just checks for common best practices, such as not only A-Za-z, also numbers and special chars., no repetition and so on. It does not even try to be perfect. Additionally 4% vs. 12% does not mean 12% is better, it means both are horrible, because >80% is our goal.

  5. robert said

    Except,
    1) You do check for repeated passwords as in your catecate example so it’s a surprise that a different repeat is seen as sort of good.

    2) A really long but memorable password is good practice, the staple… password really is better than any of the others including eight random characters.

    You see if you assume a really low price of 11 bits per English word that’s 55bits for a 5 word “passphrase” which is more than it’s even possible to get with an eight character ASCII password …
    log(95^8)/log(2) -> 52.55884486664758273384

    Of course this is far lower than a naive calculation would give you (136 bits) but it’s still better than 52 and it can be extended. That is 8 to 10 words (40 to 50 characters at the average of 5 characters per word) is usually assumed to be enough to directly source a 128bit key and it can still be memorable.

    I suppose, what you’re in effect doing is assuming that your you user is connecting to an ancient unix system that can only accept eight character passwords, all systems can do better nowadays but the assumption is baked into your measures.

  6. Rene said

    The assumption about 8 characters is baked into the calculation, because I still know plenty of online systems from banks and smaller retailers that cannot deal with long passwords.

    The goal of the exercise is also to get user behaviour changed. Because the characters variance is enforced, user cannot get far with regular phrases and hence, this avoids dictionary attacks. I could not implement a dictionary, so this is the trick.

    Feel free to take the code and improve it. I am open to suggestions.

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.