Recently I read a very interesting article from Troy Hunt about “The science of password selection“. While his excellent analysis is focused on web application users and their selection of passwords, I was trying to think how we can quantify passwords strength from the application point of view.

So I ran a short analysis on some passwords that were leaked in recent incidents. In the first step I tested password strength by validating four attributes on each password. In order to score the strength of each password, I tested the following attributes:

  • Does it contain digits?
  • Does it contain an upper case English letter?
  • Does it contain a lower case English letter?
  • Does it contain one of the following characters: - !@#$%^&*()_+-={}[]\|;':",./<>?~`

Each password scored a point for every one of these attributes that it contained, so that each password scored between 1 and 4 (4 being the strongest).

Analysis highlights:

  • The total average score for all passwords was: 1.58.
  • More than 95% of passwords use 2 or less attributes.

Distribution of passwords per score:

clip_image002

Note: All of these passwords were constrained to a length of at least 6 characters long, so the length attribute was not part of this test.

In the second step I analyzed the distribution of password length. As mentioned above, the passwords were constrained to at least 6 characters long. We can see that 73% of the passwords are between 6 and 8 characters long (and 95% are between 6 and 10 characters long).

Distribution of passwords length:

clip_image002[4]

As you can see most of the passwords contain only 2 or less of the attributes above and are between 6-8 characters long. This data reflects on password strength and as a result the time it will take to brute force the average password. Combining these results with the analysis that was done by Troy Hunt emphasizes the need for better control on an applications password mechanism.

The enforcement of these and other attributes is in the hands of the application administrator and should be taken under consideration when applying a security policy for the application.

It is, of course, recommended to use security devices that are able to maintain advanced access policy to organization networks and applications, and are able to prevent brute force attacks.

Note: The results are based on around 40,000 password samples. While I believe they represent a normal model, they may not be 100% accurate.