I. J.

Computer Network and Information Security, 2016, 7, 23-30

Published Online July 2016 in MECS (http://www.mecs-press.org/)
DOI: 10.5815/ijcnis.2016.07.04

Password Security: An Analysis of Password

Strengths and Vulnerabilities
Katha Chanda
Department of Computer Science and Engineering, Amity School of Engineering and Technology, Noida, Uttar Pradesh,
India
E-mail: [email protected]

Abstract—Passwords can be used to gain access to hard it is to break passwords of different strengths. Of
specific data, an account, a computer system or a course, with enough computing power and speed, no
protected space. A single user may have multiple password is ultimately secure against a brute force attack.
accounts that are protected by passwords. Research Yet with a little vigilance and knowledge, it is easy to
shows that users tend to keep same or similar passwords make the job significantly harder for potential attackers.
for different accounts with little differences. Once a Section 2 discusses the existing work on password
single password becomes known, a number of accounts security. Section 3 analyzes different aspects of password
can be compromised. This paper deals with password security and sections 4 and 5 discuss the different
security, a close look at what goes into making a components that lend strength to the password. A brute
password strong and the difficulty involved in breaking a force attack is implemented to analyze the times required
password. The following sections discuss related work to break the password. By varying the strength of a
and prove graphically and mathematically the different password by a few factors, a comparison is made and a
aspects of password securities, overlooked vulnerabilities definitive conclusion is reached. Section 6 surveys the
and the importance of passwords that are widely ignored. existing password composition rules enforced by popular
This work describes tests that were carried out to passwords in the industry and section 7 describes a
evaluate the resistance of passwords of varying strength password strength checker, PwdStrength that is devised
against brute force attacks. It also discusses overlooked and implemented. The strength of the password is
parameters such as entropy and how it ties in to password calculated based on a number of factors drawn from
strength. This work also discusses the password earlier conclusions. Table 3 provides a comparison
composition enforcement of different popular websites between the output of PwdStrength and a pre existing
and then presents a system designed to provide an password strength checker on 22 passwords. The paper
adaptive and effective measure of password strength. concludes with an analysis of the performance of
This paper contributes toward minimizing the risk posed PwdStrength and a short summary on the importance of
by those seeking to expose sensitive digital data. It password security as observed from the preceding
provides solutions for making password breaking more sections.
difficult as well as convinces users to choose and set
hard-to-break passwords.
II. RELATED WORK
Index Terms—Password, Security, Entropy, Hashing,
Significant research has been done with passwords,
Password Strength.
their security, authentication methods and options beyond
passwords. More secure alternatives to passwords exist.
But as Herley at al [1] stated in their paper, there are a
I. INTRODUCTION
number of barriers to moving beyond passwords, such as
Passwords have been used to grant access to unknown diversity of requirements, user reluctance and usability,
persons since ancient times. Military, spy organizations, individual control of end user systems etc. As of today,
high security organizations have seen a rampant use of alphanumeric passwords are still the most common mode
passwords. Even today, it is not only used to secure of authentication; hence the focus rests on improving the
computers in the traditional sense but is used to control security of passwords and their authentication.
access to mobile phones, homes, ATMs (automatic teller Halderman et al [2] bypass the need to remember
machines) and many more. Most often, passwords are the multiple passwords for different accounts by using a
only security one enforces to protect an application strengthened hash function to generate high entropy
against unauthorized access and unfortunately many passwords when they are needed. These passwords are
users do not realize the importance of passwords fully. protected by a single short master password. Udi
They tend to set short, easy-to-remember passwords Manber[3] implemented a scheme with two salts to
which are highly vulnerable to attacks. This paper aims to prevent guessing attacks on passwords protected with one
impress upon users just how vulnerable their private data way functions. So far, most of the existing research
can be with weak passwords by showing how easy or focuses on secure management and storage of passwords.

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
24 Password Security: An Analysis of Password Strengths and Vulnerabilities

Keith at al [7] presented an empirical study based on the database, the password is stored as ‗PassText321‘. This is
usability of passphrases after a 12 week long experiment. the worst form of storing passwords in terms of security.
Campbell et al [8] proved that enforcing good password If the site is hacked and the passwords are stored in
composition rules does not discourage users from setting human readable form, then all the passwords are
strong and meaningful passwords. Alain et al [9] used immediately compromised. The hacker can read all the
Persuasive Technology as a method to help users chose passwords with virtually no extra effort.
memorable passwords without forgoing security. Encrypted Passwords – Many sites store an
Schechter et al [10] propose a method to strengthen user encrypted form of the password in the database on their
passwords by setting a minimum acceptable false server. Encryption uses a special key to convert the
positive rate to prevent statistical guessing attacks. password into a random string of text. The advantage is,
Duggan et al[19] analyzed the password goals for without the key, the hacker cannot obtain the passwords.
different groups such as students, administrative staff and All that can be obtained are the random encrypted strings.
scientists and observed how password security was The disadvantage is the key is often stored on the same
related to the sensitivity of their tasks. Kharod et al[20] server where the passwords are. So if the server is hacked
proposed a new technique that involves the use of and the key is retrieved then all the passwords can be
hashing, salting and differential masking with a low time decrypted and compromised. The very fact that
complexity to strengthen passwords. Bailey at al[21] encryption is reversible, i.e. a message can be coded and
studies the fact that users pick passwords of different decoded poses a security threat.
strengths for different categories of websites; financial Hashed Passwords – Hashing is a function that will
accounts have significantly stronger passwords and turn the password into a random long string of letters and
analyzes the implications of this fact on password numbers. The advantage of hashes over encryption is that
research. Despite research on strengthening passwords, hashes are irreversible. Once the password is hashed,
data continues to be compromised on a regular basis, there exists no algorithm to change it back to the original
prompting the need for better vigilance and stronger password. The hacker would have to hash a number of
passwords from both users as well as organizations. This combinations one-by-one to see which hash matches with
paper focuses on how organizations as well as individual the one stored on the server. One way to do this is
users can safeguard their data better against malevolent rainbow tables, which are computationally very fast.
attacks. Hackers can also use a brute force attack, where every
possible combination of letters and numbers are tried,
hashed and matched with the hash retrieved from the
III. ASPECTS OF PASSWORD SECURITY database. This method can take a very long time and is
largely dependent on how powerful the machine is.
There are many aspects to password security that must However today, the computers have become very fast
be considered. These include the manner in which
and brute force attacks like John The Ripper can crack
passwords are stored. Secure password storage is crucial
passwords quite efficiently. Different types of hashing
in protecting passwords from malicious attacks. Plain
algorithms like MD5, SHA-1, SHA-256, and SHA-512
text, hashing, salted hashing, rainbow tables are all exist.
different methods of storing passwords. Also to be Salted Hashes – To make hashes more secure, ‗salt‘
considered are whether the passwords are human
can be added to the hash. This means that, a random
generated or computer generated. Computer generated
string of characters is either prefixed or postfixed to the
passwords generally possess a higher degree of
password before hashing it. Every password has a
randomness. Password theft is also an issue to be
different salt. Even if the salts are stored on the database,
considered. Password can be stolen through social it will be very complicated cracking the passwords using
engineering, brute forcing, keylogging and such. The a rainbow table as the salted passwords are long, complex
following subsections explain the various aspects of
and unique. Salted hashes can be brute forced but the
password security.
time taken is significantly longer. Using two salts, one
A. Password Storage public and one private can also protect the password
against offline attacks [3].
A password can be made up of characters, numbers
and/or special characters. Passwords are mostly case B. Human Generated Passwords Vs Randomly
sensitive. Passwords can be entirely numeric. They are Generated Passwords
called passcodes and are often used as PINs (Personal
Passwords can be either human generated or random
Identification Numbers) in ATMs and Net banking
generated. A random number generator generates a
operations. Passwords are stored online in a number of
random string of numbers with characters from a pre-
ways. Some are much more secure than others and some defined character set. Each character in the character set
are very vulnerable to attacks. The following section lists has the same probability of being chosen. A
a few of the most popular ways.
pseudorandom number generator (PRNG) generates a
Plain Text Passwords – This is the simplest form of
random sequence and has applications in cryptography.
storing a password. Somewhere on the server of the site,
PRNG numbers are not truly random because it is
there is a database which stores passwords and usernames
generated from a small set of initial values. This set is
in plain text. If the password is ‗PassText321‘ then in the

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
 Password Security: An Analysis of Password Strengths and Vulnerabilities 25

called the PRNG‘s state and a truly random seed is To prove that a longer password is indeed more
included within it. difficult to break than a shorter password, user entered
Human generated passwords are never really random. passwords were hashed and then brute forced. Passwords
Human generated passwords are usually easy to were first hashed by an MD5 hash function. Once the
remember. Humans choose passwords that usually are password is hashed, then the combinations are created for
similar to some element of their lives. Like addresses, a fixed length. Every combination is hashed using the
birthdates, and names of relatives, or words that are same MD5 hash function and is compared to the hash of
commonly used in everyday life. Passwords like ‗abcdefg‘ the original password. When a match is found, the
or ‗123456‘ are also commonly used. With people function terminates. The word whose hash matched the
possessing multiple accounts, it is hard to remember so original hash is the correct password. In the worst case
many different passwords. So, most opt for using short scenario, the code will test every single combination
easy-to-remember passwords. This makes human before it can find a match. The time taken for each
generated passwords more vulnerable and easy to guess password to be broken is calculated and tabulated.
[4]. It has also been noted that web users have a tendency
A. Numeric Tests
to reuse their passwords [4]. If a single password
becomes known, then more than one account will be The first tests run were for 5 letter passwords. Time to
compromised. Since most passwords are human break a single password was calculated and the test was
generated, it falls to individual users to make sure the repeated for one hundred different passwords consisting
passwords are strong and secure. of only lower case alphabets from a-z. The next set of
tests was for 6 letter passwords. Again, time required to
C. Password Theft
break a single password was calculated and the test was
Passwords can be leaked in a number of ways. An repeated for one hundred different passwords from a
attacker can hack into the database of the site which character set of lower case alphabets, a-z. The table
stores the user credentials and uncover a huge number of shows 20 of the test results. As seen from table 1, the
passwords. Thefts can also occur on a personal level. A time required to break a six letter password is much
user can write down the password somewhere and it can higher than a five letter password. And it is also clear
make its way to malicious hands. Or a user can set a very from the table that there is more or less a uniform
simple and obvious password that is easy to guess. Social increase in the time. As calculated graphically, the
engineering, phishing or keyloggers can also compromise average time increase is 26.
passwords [5]. Passwords can very commonly be
B. Alphanumeric Tests
uncovered by brute forcing or offline dictionary attacks.
The next set of tests was run for calculating the time to
break 6 letter alphanumeric passwords. Twenty
IV. PASSWORD STRENGTH passwords were tested for this. The alphanumeric
passwords were compared to twenty randomly selected 6
A brute force attack tries every possible combination
letters alphabetical passwords and their graphs were
in a given character set and tries to match it against the
computed, which shows how much the password
original password. So more the number of possible
strengthens by adding to its character set. For
combinations, more the time it will take for the algorithm
alphanumeric passwords, the character set becomes 36.
to generate the guesses. On an average, almost half of the
Hence for a 6 letter alphanumeric password, number of
total number of combinations is tried before striking on
possibilities is 366= 2176782336 and for a 6 letter
the right one. The longer it takes to break a password, the
alphabetic password, number of possibilities is
stronger it is. So it is logical to conclude that greater the
266=308915776.
length of a password, the better it can stand against a
brute force attack. C. Multiple Case Tests
Let the length of the password that is to be cracked be
The next set of tests was run for calculating the time to
N. Let the password consist of only lower case alphabets.
brute force passwords that comprised of alphabets of
This forms the character set. The possible candidates for
both upper and lower case. The character set for multi-
each character of the password are 26. For a more generic
case passwords is 52. Twenty random passwords each of
case, let the character set consist of k characters. Then the
6 letters were tested. These were compared to twenty
number of possible passwords can be Nk. So, the length
lower case passwords and their graphs were computed.
of the password can increase by either increasing N or by
For each 6 letter multi case password, the number of
increasing k.
possibilities is 526=19770609664 and for a 6 letter
If the length of the password is 6 and it is made up of
alphabetic password, number of possibilities is
only lower case alphabets then the number of possible
266=308915776. The graphical results corroborate the
passwords is 266 which are 308915776. If it were made of
fact, that increasing the character set strengthens the
upper and lower case characters then the character set
password by a significant amount.
size would be 52 and the possibilities would be 52 6,
which is 1.9770 x 1010. If the password size is 7 then the
possibilities would become 26 7 and 527.

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
26 Password Security: An Analysis of Password Strengths and Vulnerabilities

Table 1. Calculated Time to Break 5 Letter, 6 Letter, Alphanumeric and Double Case Passwords.

5 letter 6 letter Time to Alphanumeric Double Case

Sr.no Time to break Time to break Time to break
password password break password password
1 Bales 57795.2 abases 1599703 abas34 9944469 Acajou 72887164
2 Candy 58503.7 ballad 1621442 a346be 11524403 Blunts 75462234
3 Delta 52585.6 bennis 1457532 aes3er 10989201 Chough 73235678
4 Egads 56186.9 chinos 1763321 45alze 11031055 Diesel 69984567
5 Feign 55397 daddle 1705889 bes567 10134510 Ethoxy 77567893
6 Garum 47403.85 doting 1514065 045kat 10139948 Flabby 74221345
7 Hoary 68526.15 elects 1557074 bute90 9567085 Gnawed 80556784
8 Igapo 61641.75 fabled 1394745 blips2 10044859 Hector 79556788
9 Lobby 49092.6 glades 1737407 cat101 11071539 Imagos 77564856
10 Maims 60824.15 hacker 1659651 cupola 11116028 Jovial 76554345
11 Nutsy 62828.85 incite 1768656 citco5 11043269 Keener 77908456
12 Peare 60157.1 jinxed 1393465 celt67 11191393 Legmen 72345677
13 Rearm 66847.9 khazen 1613898 delta4 11272714 Macaco 71236578
14 Rough 66346.05 legmen 1398087 5doggy 11167292 Nankin 78665432
15 Skids 67386.45 milady 1623292 death8 11417336 Oafish 69783321
16 Taboo 67245.85 nibble 1642988 dupe33 11597704 Pablum 70112345
17 Thyme 66887.05 odours 1636991 epm4t6 11591159 Quiche 71864579
18 Users 42237.35 phenom 1554071 epm4t6 10855216 Rabato 74556789
19 Xylem 56794.2 quaked 1592733 34egg7 9858146 Sebums 73455675
20 Zonal 61287.9 stomps 1651824 etoph4 10832474 Valued 75338904

Fig.1. Time Taken to Break 6 Letter Alphabetical Passwords and Alphanumeric Password

Fig.2. Time Taken to Break 5 and 6 Letter Passwords

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
 Password Security: An Analysis of Password Strengths and Vulnerabilities 27

V. ENTROPY H = L* log2N (1)

A. Entropy as Information Content where L is the length of the password and N is the
Entropy is defined in the context of a probabilistic character size.
model. A code that generates a string of ―BBBBB…‖ Let the password be ‗Ast34beta1‘ which is chosen out
will have entropy of zero because there is no uncertainty of a 62 size character set. Then the entropy is H= 10 *
in the next character. It is known that the next character log1062/log102; which is H= 59.541 bits.
must be ‗B‘. If a 256 bit key is randomly generated, then Therefore the entropy of a password depends both on
it has 256 bits of entropy. But if every digit is not of length and the number of total possible characters. What
equal probability, then the entropy will fail to reflect the increases the entropy per bit more- length or size of
true unpredictability. If the key is ―cryptography‖ 50% of character set? From the equation is it clear, that the
the time and a truly random 256 bit key, then the number length of the password matters more.
of entropy is approximately 128 bits but the number of
guesses it takes to brute force it may not be 2 128-1 but 2256-
1
as half the times, the password can be cracked on the
first try and the other times, it needs to guess.
B. Password Strengths in terms of Entropy
When it comes to passwords, entropy is used to
specify the strength of a password in terms of its
information content, measured in bits. A password of m
bits strength would need 2m tries to exhaust all
possibilities in a brute force attack. Clearly, the higher
the entropy, greater is the strength of the password.
Entropy is given by:
Fig.3. Entropy Vs Length

Table 2. Entropy of passwords of increasing length and fixed character set

Sr. no Charset-26 Charset-36 Charset-52 Charset-62 Charset-94

1 4.700439718 5.169925001 5.700439718 5.95419631 6.554588852
2 9.400879436 10.33985 11.40087944 11.90839262 13.1091777
3 14.10131915 15.509775 17.10131915 17.86258893 19.66376656
4 18.80175887 20.67970001 22.80175887 23.81678524 26.21835541
5 23.50219859 25.84962501 28.50219859 29.77098155 32.77294426
6 28.20263831 31.019550 34.20263831 35.72517786 39.32753311
7 32.90307803 36.18947501 39.90307803 41.67937417 45.88212196
8 37.60351775 41.35940001 45.60351775 47.63357048 52.43671081
9 42.30395746 46.52932501 51.30395746 53.58776679 58.99129967
10 47.00439718 51.69925001 57.00439718 59.5419631 65.54588852
11 51.7048369 56.86917502 62.7048369 65.49615941 72.10047737
12 56.40527662 62.03910002 68.40527662 71.45035572 78.65506622
13 61.10571634 67.20902502 74.10571634 77.40455204 85.20965507
14 65.80615605 72.37895002 79.80615605 83.35874835 91.76424392
15 70.50659577 77.54887502 85.50659577 89.31294466 98.31883278
16 75.20703549 82.71880002 91.20703549 95.26714097 104.8734216
17 79.90747521 87.88872502 96.90747521 101.2213373 111.4280105
18 84.60791493 93.05865003 102.6079149 107.1755336 117.9825993
19 89.30835464 98.22857503 108.3083546 113.1297299 124.5371882
20 94.00879436 103.3985 114.0087944 119.0839262 131.091777

organization takes to secure their user‘s data, it is also the

VI. STRONG PASSWORDS IN THE INDUSTRY responsibility of the user to ensure that their passwords
are strong. Users can be forced to introduce some
The significance of strong passwords has been measure of complexity to their passwords by enforcing
sufficiently discussed in the preceding sections. It is some necessary rules. The user must conform to these
obvious that apart from the security measures the

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
28 Password Security: An Analysis of Password Strengths and Vulnerabilities

rules while choosing their new password at the time of letters/ lower case letters/ numbers/ special symbols.
registering. The research in [6] proves that people choose
weaker passwords for sites which employ lax rules while After a short analysis of the rules which the sites
registering a new account is sufficiently protected. By mentioned above enforce, the author concludes that
going through the login/register/sign-up pages of the flipkart.com has the least password security. The
following web giants, it was possible to gain sufficient strongest rules enforced are by ebay.com followed by
data to understand what rules they insist their customers hotmail.com. Their restrictions force users to set
follow when they create a new account. passwords that are naturally hard to brute force.
Ebay.com [11] – ebay.com enforces the following
rules for passwords –
VII. PASSWORD STRENGTH CHECKER
 Minimum of six and a maximum of 20 characters
A. Design and Description
 At least one number and/or a special symbol
 Must be case sensitive. That is, must contain both This paper designs and implements a password
uppercase and lowercase letters strength checker called PwdStrength. It scores the user
 Passwords are categorized as ‗weak‘, ‗medium‘ or entered password against a number of factors and returns
‗strong‘. The user is notified if the password is the score along with the classification of ‗weak‘, ‗fair‘,
‗invalid‘ or ‗too short‘. The password is classified ‗strong‘ or ‗invalid‘. These factors have been determined
as ‗medium‘ or ‗weak‘ unless alphabets, numbers from the analysis in the previous sections. The five
and special symbols are used. To be classified as factors are:
‗strong‘, the password must not only consist of Length: As discussed above, the length of a password
alphabets (both upper and lower), numerals and can be the strongest deterrent to a brute force attack. If
special symbols but must also have a length greater the length is large enough, it can even render useless a
than 6. Password of length six with all combination rainbow table.
of characters gives a ‗medium‘ rating but making it Character set: By increasing the size of the character
of length seven or more makes it strong. set, the number of possibilities or guesses that the
computer will have to make to chance upon the correct
Amazon.com [12] – amazon.com enforces the password increases. Like discussed before, the total
following rules for a password while registration of a number of possible tries a computer can make for a
user account password is (size of character set) length of password.
Entropy: In information theory, Entropy measures the
 Must have a minimum of 6 letters uncertainty in a random variable. More the entropy, more
 Must be a combination of upper and lower case the uncertainty, hence lesser are the chances of guessing.
and/or a combination of letters and numbers. Predictability: – It has been observed that in an effort
to keep easy-to-remember password, people tend to use
Flipkart.com [13] – flipkart.com enforces the alphabets and numbers in order. That is, ―abcd‖ or ―345‖
following rules on passwords during registration etc. If the hacker is aware that the last 2 or 3 digits are
numbers, then the chances are that the numbers will be in
 It must have a minimum of four characters order. This will lessens the password strength because it
becomes much easier to guess a set of numbers in order.
Facebook.com [14] – facebook.com enforces the Commonness: When users set passwords, they tend to
following conditions on passwords while registration of a set common passwords. If not the name of a close family
new user. member or a place, it is often something like ‗password‘,
‗password123‘, or ‗abcdef4567‘ etc. If the password is
 Must have a minimum of 6 characters with respect something very common then the attacker may run a
to length. dictionary attack using a dictionary of common words list
or a phrase book and there‘s a chance that the attack is
Adobe.com [15] – adobe.com enforces the following successful. The code checks the password entered against
conditions on passwords while registration of a new user. a list of 10000 most common passwords of 2014. Many
vendors generate these lists, however the most
comprehensive list was found at xato.net [17].
 Must have a minimum of 6 characters with respect
to length. B. The Scoring System

Hotmail.com [16] – hotmail.com enforces the The password is scored out of ten on each of the
following conditions on passwords while registration of a following factors mentioned in the previous sections. The
new user. 5 scores are totaled and averaged to give the final score
out of 10. The scoring system for each factor is as
follows:
 Must have a minimum of 8 characters with respect
to length.
If length >12: Score = 10
 It must contain any two of the following- upper case

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
 Password Security: An Analysis of Password Strengths and Vulnerabilities 29

 If length>= 10 and length < 12: Score = 8 won‘t result in any negative score as many words contain
 If length>= 8 and length < 10: Score = 6 two in-order characters such as ‗absolute‘ or ‗effort‘. If
 If length>= 6 and length < 8: Score = 4 however, there are more than 10 such consecutive triplets,
 If length < 6: No score then the password is scored a 0 on predictability.
 If character set = 26; score = 2 If the password is found among the top ten thousand
 If character set = 36; score = 4 common passwords, it is awarded a score of 5 out of 10.
And if not, it is awarded 8 out of 10. If the password is
 If character set = 52; score = 6
commonly found, a warning is displayed saying that it is
 If character set = 62 or 84; score = 8
a common password.
 If character set = 94; score = 10
On these 5 factors, the password is marked on a scale
of 10 separately. Then it is averaged, which gives us the
For the weakest password that is not invalid, the
result out of 10. If the final score is less than 4, the
entropy is found to be approximately 28. For a very
password is termed ‗WEAK‘. If the score is equal to or
complex password with a length of 12 or more, the
above 8, it is classified as ‗STRONG‘. Any score in
entropy is found to be over 85. Therefore, this range of
between, the password is termed as ‗FAIR‘.
entropy has been divided into categories and scored
accordingly. C. Results and Discussion
The The PwdStrength was tested for a number of
 If entropy<=28; score =2 passwords and their results tabulated. A number of
 If entropy >28 and entropy <=47; score =4 computer users were asked to volunteer passwords they
 If entropy >47 and entropy <=66; score =6 are likely to keep should they open up new accounts. The
 If entropy >66 and entropy <=85; score =8 same passwords were tested by The Password Meter [18],
 If entropy >85; score = 10 a popular online strength checking website. The
Password Meter takes into consideration the character set
For every three letters or number that is in order, one of the password, the length, consecutive letters, numbers
point is deducted from 8. For the first three in-order and repeated characters. It does not check for entropy or
characters, one point is deducted from 8. After that, for whether the password is a common one or not. The
every consecutive character in order, another is removed. output of the code is presented in Table 3 below.
Hence ‗12345‘ scores an 8-3=5 because ‗123‘ warrants -
1, ‗234‘ warrants -2, ‗345‘ warrants -3. However ‗ab‘

Table 3. Output of PwdStrength vs Output of Password Meter

Sr. PwdStrength Score Category PasswordMeter Score @ PasswordMeter
no
1 Kathachanda 5.0 FAIR kathachanda Very Weak: 11%
2 TestingJava123 8.0 STRONG TestingJava123 Very Strong: 92%
3 HELLO - Invalid password HELLO Very Weak: 4%
4 Password 4.0 WEAK: Common! Password Weak: 26%
5 Cheryl 4.0 WEAK: Common! Cheryl Weak: 22%
6 Password!Security 5.0 FAIR Password!Security Very Strong: 95%
7 DrJekyll1234Hyde 8.0 STRONG DrJekyll1234Hyde Very Strong: 100%
8 Testing1234567 7.0 FAIR Testing1234567 Very Strong: 100%
9 Amityuniversity 6.0 FAIR Amityuniversity Good: 48%
10 camp@#* 4.0 WEAK camp@#* Good: 50%
11 4567!#$ 3.0 WEAK 4567!#$ Strong: 60%
12 HarryPotter23 8.0 STRONG HarryPotter23 Very Strong:83%
13 jeromealpha45 6.0 FAIR jeromealpha45 Good: 43%
14 Tedious$affair 6.0 FAIR Tedious$affair Very Strong: 81%
15 Just1Got#Home 9.0 STRONG Just1Got#Home Very Strong: 95%
16 JokesterTell321 8.0 STRONG JokesterTell321 Very Strong: 95%
17 Blake123 7.0 FAIR Blake123 Strong: 65%
18 annie12 5.0 FAIR annie12 Weak: 30%
19 Tennis 4.0 WEAK tennis Very Weak: 6%
20 fireman56 6.0 FAIR fireman56 Weak: 36%
21 TellMeWhy65 8.0 STRONG TellMeWhy65 Strong: 79%
22 NoGood@Food 8.0 STRONG NoGood@Food Strong:74%

The advantage of PwdStrength is that it can be up-to-date at all times. Also, as new passwords are added
frequently updated with respect to the common to the old list, a user‘s current password may become too
passwords list. Since every year, new lists are published easy to guess. Every time the list is significantly updated,
with the weakest passwords, the code can be maintained the sites can issue a warning to the users to change their

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30
30 Password Security: An Analysis of Password Strengths and Vulnerabilities

password for security reasons. This makes the algorithm [9] Alain Forget, Sonia Chiasson, and Robert Biddle. 2007.
efficient and adaptive as it constantly keeps track of Helping users create better passwords: is this the right
recently popular passwords and rejects them for new approach?. In Proceedings of the 3rd symposium on
users. Usable privacy and security (SOUPS '07). ACM, New
York, NY, USA, 151-152.
[10] Schechter, Stuart, Cormac Herley, and Michael
Mitzenmacher. "Popularity is everything: A new
VIII. CONCLUSION approach to protecting passwords from statistical-
guessing attacks." Proceedings of the 5th USENIX
It is abundantly clear from this paper, the importance
conference on Hot topics in security. USENIX
that should be attached to passwords. The ease with Association, 2010.
which passwords can be broken and data can be [11] Ebay.com. www.ebay.com
compromised has also been clearly explained. Sites [12] Amazon.com. www.amazon.com
should take effective measures to make sure that their [13] Flipkart.com www.flipkart.com
user‘s data is sufficiently secured by ensuring that the [14] Facebook.com www.facebook.com
correct scheme is employed to protect against hacks. The [15] Adobe.com www.adobe.com
role played by users in securing their data is also [16] Hotmail.com www.hotmail.com
emphasized. The algorithm explained in the previous [17] 10,000 Most Common Passwords List. Available:
https://xato.net/passwords/more-top-worst-passwords
section can help force users to employ passwords which
[18] Password strength. Available:
are complex and difficult to break. If employed and http://www.passwordmeter.com
improved upon further, it would go a long way towards [19] Duggan, Geoffrey B., Hilary Johnson, and Beate
making digital data much more secure. The threat of data Grawemeyer. "Rational security: Modelling everyday
being compromised will always exist. Risk may be password use." International journal of human-computer
minimized but it can never be eliminated. To that effect, studies 70.6 (2012): 415-431.
it is always better to be safe than sorry. [20] Kharod, Seema, Nidhi Sharma, and Alok Sharma. "An
improved hashing based password security scheme using
REFERENCES salting and differential masking." Reliability, Infocom
Technologies and Optimization (ICRITO) (Trends and
[1] Herley, Cormac, Paul C. van Oorschot, and Andrew S. Future Directions), 2015 4th International Conference on.
Patrick. "Passwords: If we‘re so smart, why are we still IEEE, 2015.
using them?" Financial Cryptography and Data Security. [21] Bailey, Daniel V., Markus Dürmuth, and Christof Paar.
Springer Berlin Heidelberg, 2009. 230-237. "Statistics on Password Re-use and Adaptive Strength for
[2] Halderman, J. Alex, Brent Waters, and Edward W. Felten. Financial Accounts." Security and Cryptography for
"A convenient method for securely managing Networks. Springer International Publishing, 2014. 218-
passwords." Proceedings of the 14th international 235.
conference on World Wide Web. ACM, 2005.
[3] Manber, Udi. "A simple scheme to make passwords based
on one-way functions much harder to crack." Computers
& Security 15.2 (1996): 171-176. Authors’ Profiles
[4] Yan, Jianxin, Alan Blackwell, Ross Anderson, and
Alasdair Grant. "The memorability and security of
Ms Katha Chanda is a final student of
passwords: some empirical results." Technical Report-
Computer Science and Engineering,
University of Cambridge Computer Laboratory (2000): 1.
Amity School of Engineering and
[5] Gayathiri Charathsandran, ―Text Password Survey:
Technology, Amity University, Noida.
Transition from First Generation to Second Generation‖
She is currently pursuing her Bachelor
unpublished.
of Technology in CSE from the
[6] Florêncio, D., and C. Herley. "A Large-Scale Study of
aforementioned university and expects
Web Password Habits in Proc." (2007).
to graduate in June 2016.
[7] Mark Keith, Benjamin Shao, Paul John Steinbart, The
Currently, she is a visiting research student at Singapore
usability of passphrases for authentication: An empirical
University of Technology and Design, Singapore, researching
field study, International Journal of Human-Computer
on classification of audio files. Her research interests include
Studies, v.65 n.1, January, 2007, p.17-28.
computer security and machine leaning. Her past work involves
[8] Campbell, John, Dale Kleeman, and Wanli Ma. "The
a proposal for a hybrid botnet detection framework which was
good and not so good of enforcing password composition
subsequently published.
rules." Information Systems Security 16.1 (2007): 2-8.

How to cite this paper: Katha Chanda,"Password Security: An Analysis of Password Strengths and Vulnerabilities",
International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.7, pp.23-30, 2016.DOI:
10.5815/ijcnis.2016.07.04

Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 7, 23-30