Don’t rely on password validity rules and mangling

Don’t assume your password will be strong just because you follow the mandatory password validity rules of an account (that is, minimum number of characters, digits, special characters, mixed case). The password “Beyonce#1” follows most validity rules, but is a weak password. Unfortunately, many password strength meters give you a misguided sense of comfort because they only consider these basic validity rules.

Further, don’t assume that mangling certain characters will result in a strong password, like leetspeeking or other substitution ciphers; for example, substituting ‘$’ for ‘s’, ‘@’ for ‘a’, etc.

These validity rules and manglings have become antiquated because hackers already know the patterns we follow when applying them. They start with an initial dictionary of words, quotes from wikiquote.org, names of athletes, teams, bands, songs, authors, fictional characters, etc. Then, based on common patterns we use when creating our passwords, they apply validity rules and manglings to each entry of their initial dictionary to create a comprehensive final password cracking dictionary.

Therefore, before you apply validity rules and manglings, your password should already be a strong password.

For enlightenment – See these password cracking dictionaries (is one your passwords in one of them?). If you can read scripts and are comfortable browsing in the darker parts of the internet, check out John the Ripper and see some of its recommended rules which adorn initial dictionary entries with digits and special characters and mangle them.

With every new tranche of passwords that are phished or leaked, hackers add to their initial dictionaries and adapt their scripts to apply new patterns of validity rules usage and mangling.

Below are the scores from the first 8 password strength checkers returned by a Google search for password strength checker. Both sample passwords follow the same common validity rules and do so in the same way: initial uppercase letter, six lowercase letters, special character, digit. The root of the first sample is a word expected to be guessed by a dictionary crack.

Those strength checkers that score the same for both of the sample passwords are not doing any dictionary lookup and only relying on simple validity rules.

Note a wide variance in the results between checkers still exists even though this variance was identified by Mark Stockley of Sophos in 2015.

SiteScore for password Mustang#1Score for password Htqvgxb^3
passwordmeter.comscore 70% (strong)score 70% (strong)
howsecureismypassword.net4 weeks to crack4 weeks to crack
password.kaspersky.com4 minutes to crack4 months to crack
www.my1login.com/resources/password-strength-test0.57 seconds to crack100 thousands years to crack
password-checker.online-domain-tools.comscore 55% (medium), but this is not safe because “mustang” is a dictionary wordscore 55% (medium), but this is not safe because ‘Htq’ + ‘vgx’ + ‘b^3’ is not a safe word combination. The word is composed of three components: 1) The word ‘Htq’ is reverse of the dictionary word ‘qtH’. 2) ‘vgx’ is a dictionary word. 3) Words ‘bae’ and ‘b^3’ are the same after applying leet speech rules.
thycotic.com/resources/password-strength-checker/password-strength-checker-pop4 months to crack4 months to crack
www.grc.com/haystack.htm2.43 months to crack (average compute power)2.43 months to crack (average compute power)
rumkin.com/tools/password/passchk.php37.7 bits of entropy (reasonable)44.9 bits of entropy (reasonable)

Note: Microsoft used to publish an online password checker, but it seems to have disappeared: fear of liability?