Remove these Ads

About Password Strength Indices

What's a Strength Index

A password's "Strength Index" is a numeric representation of its resistance to brute force attacks.

There are lots of password generators out there, and there are almost as many scoring tools out there. It's not our goal to produce something that's completely different from anything else out there, but we recognize that not all tools cover all the bases.

What's Different

So there's a couple things that make our Strength Index different from some of the other password strength calculators out there (this is one of the better ones which, honestly, provides a far more detailed analysis than ours).

Password Lists

A clever, complex password that's already on a brute force password list is compromised before you even put it in place. That's why our Strength Index algorithm take into consideration whether the password is, in part or in whole, on a password list. We check it against a list of almost 90,000 common passwords that would be the first things tried on any semi-sophisticated brute force attack.

Hash Collisions

Without getting too technical, it's technically possible for many systems to allow access to a password-protected resource by someone guessing something that isn't your password but still matches their criteria.

You see, in most secure applications, your password isn't really ever stored. Instead, a "hashing algorithm" is applied which generates a seemingly random string of characters based on your password. This is good because hashing is a one-way trip. You can't "decrypt" a password using its hash (though there are hash dictionaries out there, but those are mitigated by a simple practice called salting). In other words, if their site gets hacked and someone gets access to their database, your data is compromised, but the password you use isn't exposed. So if you use the same password elsewhere (not a good idea, but we all tend to do it), your other accounts in other systems aren't exposed.

A common (though not recommended for you developers out there) hashing algorithm is called MD5. It generates 32 characters of text based on the input (for example, the MD5 hash of "cat" is "d077f244def8a70e5ea758bd8352fcd8"). Effectively, this means that passwords that are longer than 32 characters aren't useful in an application that uses an MD5 hash for storage, as hash collisions could occur before a password match is reached, and they both accomplish the same goal.

Different hashing algorithms produce different lengths of hashes, which means each one has a variable risk of hash collisions. A platform that stores a 32 character hash is effectively less secure than a platform that stores a 192 character hash. And a password that's 64 characters long is less useful on a site that uses a 32 character hash than one that uses a 192 character hash (such as SHA512).

Broader Scale

This site doesn't try to generate "strong" passwords, though it certainly can. We call this site Impossible Password because we want to offer a means to produce passwords that would require documentation because they're impossible to remember. And that makes them impractical to try to brute force.

Things like database passwords and the like which are typically set once, stored in a configuration file, perhaps documented, and rarely ever referenced again, SHOULD be longer and more complex since the typical usage affords the opportunity.

So we don't just work in terms of "weak" or "strong". A good password for logging into your email account daily might have a Strength Index of 20. That score should not be your target for more valuable information such as your bank account. There, you might shoot for a Strength Index of 30. That could still be something you can remember but still offers a measure of strength. That would be less than sufficient for securing a database or other "set and forget" applications. There, I'd aim for a Strength Index closer to 100.

The point is this: passwords are used all kinds of applications, and a simple measurement of "good/bad" or "weak/strong" is simply insufficient to cover the variety of applications. So we offer a broader scale.

Check out another of my handy-for-developers tools:, an easy way to get a specific HTTP status code