How is password strength calculated?

All we need is an easy explanation of the problem, so here it is.

A password, that contains:

  • at least one capital letter,
  • at least one small letter,
  • at least one number and
  • at least one non-alphanumeric character,

is considered moderate to strong (sometimes even very strong) on all systems, that I’ve been using so far… except WordPress, where it is considered very weak. What am I missing here?

If this is a very weak password, then what rules should it match to be considered strong or very strong, by a person, who created password strength meter in WordPress.org Network system?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

The password strength meter in the latest versions of WordPress uses a library called “zxcvbn”, made by Dropbox in 2012.

The library is available for free on Github: https://github.com/dropbox/zxcvbn

An explanation of the library is here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

But the short version is that it analyzes patterns in the password instead of being a simple “does it have caps” and “does it have a symbol” method.

For example, a password of “Passw0rd123!” is not a good password by modern standards. It uses a dictionary word, it uses common leet-speak replacements, it starts with a capital letter, it ends in a symbol, and it includes a whole number which is a common pattern of sequential digits. It’s a human pattern, and modern password cracking systems are geared to specifically crack exactly that kind of password.

The zxcvbn library (“zxcvbn” is an example of a bad password) includes a list of common passwords, a common English dictionary, and many methods designed to recognize these patterns, as well as other patterns such as common keyboard patterns (Examples: “wasd” = connected letters, often used by gamers, while “951357” is the the shape of an X on a numeric keypad). These sorts of things are then all ranked and a score is formed.

Modern passwords have to be basically complete gibberish, or long phrases, not simple patterns. Anything less is usually insecure to modern password cracker programs.

Try what you think a “good” password is in the Javascript demo. It might prove enlightening:

https://lowe.github.io/tryzxcvbn/

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply