Contents

Introduction

PassTest is a program that enables you to test the strength of a password. The passwords can vary in length from one character to sixty-four characters. The passwords can be generated from a character table consisting of the 94 printable characters of the ASCII character set.

The program user can choose the 52 upper and lowercase letters, 10 digits, and 32 printable symbols in any combination as needed. In addition, the user can create a custom symbol set as may be required. Describe your password alphabet, enter your password, then press the "Test" button. The relative strength and an indication of the password's relative strength and estimated bit entropy will be displayed.

Password Strength

The strength of a password, assuming that the characters chosen for the password are chosen mathematically randomly and unbiased, depends only on the number of characters available to be chosen and the number of characters in the password.

The theoretical strength of a password is estimated by it's bit entropy. The bit entropy of a password is directly related to the time it would take to guess it by guessing all possible combinations of all possible characters.

The bit entropy is a measure of how secure a given password is. A password's bit entropy is calculated by the following equation:

H = log₂(N^L) = L log₂(N)

where:

    H = bit entropy

    L = number of characters in password

    N = number of characters to choose from

This formula assumes each individual character in the password is selected randomly and unbiased. There are only two ways to increase a password's bit entropy --- increase L or increase N. When generating a password for a particular use, you should use the maximum characters you can for choosing from and use the longest password you are allowed. This will guarantee you are using the strongest password possible.

Relative Strength.PassTest calculates the estimated bit entropy using the formula listed above. It assigns a general strength category based on the calculated bit entropy. Bit entropy of less than 80 bits are placed by PassTest in the "WEAK" category. Bit entropy from 80 bits to 99 bits are labeled "MODERATE", 100 bits to 127 bits are labeled "STRONG", and, 128 bits and greater are labeled "VERY STRONG".

PassTest inserts the value of the calculated bit entropy in parentheses at the end of the strength indicator for the password. It can be an interesting and informative exercise to try different character sets and password lengths and see how bit entropy is affected.