Passwords are an integral part of online presence and security. But have you thought about how secure your password is? There’s a lot more to security than just a random string of letters and numbers. Instead, you need to consider the balance between being able to use your password effectively (memorizing it and having a unique password for each site), and its security. Without this balance, security measures are less effective.

This platform was built to create secure passwords that aren’t difficult to memorize. Inspired by an XKCD, we believe that passwords generated by this platform helps maintain two important password health measures: regularly changing passwords and having a different password for each platform.

Password Attacks

It’s important to understand the ways your password can be compromised. There is a plethora of ways a hacker could obtain your password.

The majority of the time, the strength of your password is an obsolete barrier for the hacker. Instead, the password was gotten off the internet, whether it came from a previous data breach, a public network, or falling to a phishing attack. In this case, it’s important where you use your password and how you keep it.

Otherwise, online attacks are effectively useless. Even if your password can be guessed in 100 attempts, platforms will throttle the number of authentication attempts. A hacker will not be able to spam login until it is successful over the internet. Another type of attacks are offline attacks. This occurs when a hacker gains access to a set of hashed passwords that are stored by the platform. They run specific software to crack and decipher these. This is the main attack that having a ‘strong’ password will help prevent, and the standard for measuring time it takes to crack a password.

Password Strength

Entropy is a measure of how strong your password is. At the core if it, it’s a measure of how many possibilities your password could take given some knowledge about it. This is how many iterations it will take for a hacker to get to your password.

Generally, this is calculated by looking at the complete character set (letters, numbers, special characters) and considering all iterations of the password length against the character set. For our platform, this is an incorrect way to calculate. Based on Kerckoff’s principle, we assume that the hacker knows everything about the system that generated the password. Given this, we have a specific way of calculating password strength.

We consider the size of the dictionary set from which the words in the password are drawn and consider how many words are used for the password. If four words are used from a dictionary set of 7,000, then the number of possibilities is 7,000^4. There are some additional details when adding numbers and special characters, but this is the core principle. For entropy, we use a scale to measure the strength of the password:

  • < 29 → weak
  • 30-59 → moderate
  • > 60 → strong

To calculate the time, it would take for a hacker to crack the password, we need to consider the number of hashes per second they can guess the password. Given the latest software Hashcat on an RTX 3090, they can guess 1.1 MH/s, which is 1.1 million password attempts per second. Use the number of possibilities to then figure out how long it would take to crack.