This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 1.1+

Checking Password Strength

Many computer systems require that a password is provided before permitting access to sensitive data. As some passwords are easy to crack using brute force techniques, it is common to give the user feedback to show the strength of their selected password.

Password Strength

Software users, particularly those that use web-based solutions, are increasingly required to create and remember passwords that secure their personal information. Unfortunately, there are many people who would try to obtain their passwords so that they can access this data. One way to obtain a password is using a brute force approach, using a computer to try a series of passwords until the correct one is found.

The quality of the password entered by the user has a great effect on the possibility that it will be compromised by brute force. Some passwords are very poor and should never be used, such as those that are real words or phrases, which may easily be guessed. Others can be described as weak or strong according to the length of the password and the type of characters that it contains. For example, if your software allows passwords that are four characters in length and only allow the 26 English letters, the maximum number of possible passwords is approximately 450,000. This is a small number for a modern computer to try.

We can increase the number of possible passwords by allowing additional characters. If we stick with a four character password but allow a combination of upper and lower case English letters, the possible combinations increases from 450,000 to around 7.3 million. Adding numeric digits, symbols and spaces to increase the character set to 100 characters allows one hundred million possible passwords with just four characters.

Another way to increase the number of possible combinations is to increase the length of the password. With the one hundred characters provided by letters, digits and symbols, extending the password to ten characters gives 100,000,000,000,000,000,000 combinations. A number this high makes a successful brute force attack much more unlikely.

Strength Rules

In this article we will create a class that allows the strength of a password to be checked. The class will score passwords with a value between zero and one hundred, with zero indicating a very weak password. The rules that will be applied to calculate the score are based upon the length of the password entered and the types of character used, as follows:

  • Six points will be awarded for every character in the password, to a maximum of sixty points.
  • Five points will be awarded if the password includes one lower case letter. Ten points will be awarded if more than one lower case letter is present.
  • Five points will be awarded if the password includes one upper case letter. Ten points will be awarded if more than one upper case letter is present.
  • Five points will be awarded if the password includes one numeric digit. Ten points will be awarded if more than one numeric digit is present.
  • Five points will be awarded if the password includes any other character than a letter or digit. This includes symbols and white space. Ten points will be awarded if there are two or more such characters.

This set of rules is minimal but will give a reasonable password score. You could add further rules, such as detecting the presence of real words or repeated characters. Each of these would lower the score.

A numeric score is not ideal for novice users. To allow such users to understand the meaning of the value, we will create a method in the password checker that converts the score to a more readable value, based upon a set of ranges. The ranges are:

0 - 49Unacceptable
50 - 59Weak
60 - 79OK
80 - 99Strong

Creating the Project

The example code that can be downloaded using the link at the start of the article uses a console application that contains the password strength checker class and some example code in the Main method. In a real project you would likely include the code in a class library that compiles to a DLL. To create the code that matches the downloadable solution, create a new console application named PasswordStrength. Add a class with the name PasswordStrengthChecker and alter the class' declaration to make it public.

19 September 2011