I decided to play around with GMail's password strength-o-meter to see just how it did. The answer? Not too well. I wouldn't consider much of what it rated "strong" passwords to actually be strong passwords. Many were based on dictionary words. Many were simply a string of words. Many were made entirely of lowercase alpha characters. Check it out.
Before conducting the test, I filled my name (Mackenzie) into the first name field. I also tried it in the last name field, since my last name isn't long enough to use as a comparison for last name.
Bad things you should notice:
- Proper nouns are strong
- All-lowercase strings are strong
- Simple character replacement a la "leetspeak" (see "13375p34k" above) makes a password strong
- Spelling your name forwards is weak, but backwards is strong
- Common default passwords (default1, changeme) are marked as anything other than weak
- Easy targets for social engineering are marked as good passwords
A good password cracker will check for variations on spellings, including backwards and 1337 when performing a dictionary attack. When it comes to brute force cracking, having an all lowercase password is no protection at all. If you have an 8-character password (GMail's minimum), and you use all lowercase letter, there are 8,031,810,176 (26^7) possible passwords. A modern processor can attempt 10,000,000 passwords each second. Do the math, and you find it takes only 13 minutes to brute force such a password. Using djohn? Even less time. There should not be a single all-alpha—let alone all-lowercase—password in the "strong" list, especially as only 8 characters. OK, so those figures are for locally cracking a password. Over the network, using a tool such as Medusa, it is limited by latency. Get yourself on a fast pipe, and it still won't take long. Know any hackers with 30Mbit FiOS? I do.
Now, see that "mary1988" which was rated "good"? Yes, it has letters and numbers, but there's something in particular about it. See, it's a first name followed by a year. When an adult is told they need letters and numbers, but password1 won't work, what do they do? They often put their child's first name followed by the year they were born. Social engineering anyone? A friend of mine has a sticker on his laptop which says:
SOCIAL ENGINEERING SPECIALIST
Because there is no patch for human stupidity
While it is good that Google is trying to make people a bit more aware of password security, I don't believe they are being stringent enough. They have an 8 character minimum. Nothing which is the minimum length should have made it to strong. A strong password should have 10, 12 characters minimum (15 on Windows, due to a flaw in how it hashes passwords). Their password strength rater is leading people into a false sense of security. Please don't trust it. I know you can do better. If you think you can't do better and still remember your password, well, I'll post in a few days with a method for remembering good, strong passwords.