Password complexity calculator

NogDog

Something I was playing around with for a tool to roughly calculate the difficulty of guessing a password, just based on types of characters uses and the length of the password. (I.e., it does not try to consider things like dictionary words versus random strings, most commonly used characters, etc.)

/**
 * Calculate the complexity of a password as the possible permutations
 * for the types of characters used and the password length. Does not
 * consider things like dictionary words, common patterns, et cetera
 * 
 * @param string $password
 * @return string (Numeric string from BCMath calculation)
 */
function PasswordComplexity($password)
{
    if(strlen($password) < 1) 
    {
        return '0';
    }
    $charsets = array(
        '/[a-z]/' => 26,
        '/[A-Z]/' => 26,
        '/\d/' => 10,
        '/[^a-zA-Z0-9]/' => 10, // kludge for any other characters!
    );
    $chars = 0;
    foreach ($charsets as $regex => $num)
    {
        $chars += preg_match($regex, $password) ? $num : 0;
    }
    return bcpow($chars, strlen($password));
}

im_dalecosp

Proving XKCD right, I see!

NogDog

im_dalecosp;11057053 wrote:
Proving XKCD right, I see!

Yep.

'Tr0ub4dor&3':
  269561249468963094528
'correcthorsebatterystaple':
  236773830007967588876795164938469376

🙂

Sometimes size does matter. 😉

im_dalecosp

Hey, if you're a mod can you approve my post in Feedback? (Maybe you're not ...)

NogDog

im_dalecosp;11057059 wrote:
Hey, if you're a mod can you approve my post in Feedback? (Maybe you're not ...)

I'll copy/paste it into the private team forum here, just to keep that stuff out of the public eye.

im_dalecosp

Heheh, thanks. Perhaps I should remove my avatar ... 😉

NogDog

I posted in the team forum and moved your Feedback thread to our ultra-secret, if-I-told-you-I'd-have-to-shoot-you forum. Hopefully an admin will fix things or be in contact with you soon.

im_dalecosp

Hey, he did! It took some back-and-forth, but I got my account back. Special thanks to Brad Jones at Quinstreet ...

I just thought I'd post here and tell you that, Nog! ~~im_dalecosp~~

im_dalecosp

And since the thread was moved, I can't click "Resolved", but please do know Brad Jones that your hard work is appreciated!! 🙂

halojoy

$ret = PasswordComplexity( 'zM4(g:Il' );
echo $ret;
echo '<br>';
echo strlen($ret);

I like this script.

As you can see I display the length of the result.
This gives a better way to compare different results.
Gives the number of digits in result.
In this case length is 15 digits.

Weedpacket

[man]log10[/man] would be more accurate.

dalecosp

Hmm.

# tail -f -n1 /var/log/php_error_log
[29-Sep-2017 09:56:17 America/Chicago] PHP Fatal error:  Call to undefined function bcpow() in /usr/home/admin/scripts/pass_test on line 34

#php -v
PHP 5.6.25 (cli) (built: Sep  8 2016 11:46:53)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

Anyone know what's up with that?

dalecosp

dalecosp;11064077 wrote:

Hmm.

# tail -f -n1 /var/log/php_error_log
[29-Sep-2017 09:56:17 America/Chicago] PHP Fatal error:  Call to undefined function bcpow() in /usr/home/admin/scripts/pass_test on line 34

#php -v
PHP 5.6.25 (cli) (built: Sep  8 2016 11:46:53)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

Anyone know what's up with that?

Nevermind. I am ROOT!!!! 😃

sudo pkg install math/php56-bcmath

:rolleyes:

dalecosp

Weedpacket;11064073 wrote:
[man]log10[/man] would be more accurate.

I don't want to doubt, but you mean using log10 in place of bcpow?

If so, can you help then to explain (when you have time), the following?

$s = "correct horse battery staple";
$t = "yBKcTR98";
echo "Complexity of 's': " .PasswordComplexity($s);
echo "\nComplexity of 't': " .PasswordComplexity($t);

Complexity of 's': 1.5563025007673
Complexity of 't': 1.7923916894983

XKCD is wrong?

Weedpacket

No, log10 in place of strlen; ceil(log10($ret)) being equivalent to strlen($ret).

halojoy

I have been searching for Password Strength testers for a few days.
There are many, but most of them are doubtful in the result.

But now I have finally found a good one:
http://rumkin.com/tools/password/passchk.php
He gives the result as an Entropy value.
I recommend that one!

Weedpacket

Let's just say, what with my phone having a virtual keyboard and all, on it I use passwords like "🌿4Go2🛏" (though that of course isn't one of them).

halojoy

Weedpacket;11064133 wrote:
Let's just say, what with my phone having a virtual keyboard and all, on it I use passwords like "🌿4Go2🛏" (though that of course isn't one of them).

The result of your password, Weedpacket,
using the password tester in my post above:

Length: 8
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 38.8 bits
Charset Size: 222 characters

What is noticable is the charset used in the password.
It has so many chars as 222.

Weedpacket

Length 8, huh? I only count six characters: "🌿", "4", "G", "o", "2", and "🛏". Of course, JavaScript counts the first and last as two each.

The character set was determined as: 26 upper case letters, 26 lower case letters, 10 digits, and 160 characters from outside printable ASCII (i.e. characters 0x00 through 0x1f inclusive, and 0x7f and 0xff inclusive). But 🛏 for example, is represented by the two characters 0xd83d and 0xdecf, both obviously outside those ranges. The program should have counted the length as ten characters, for an entropy of 47.9 bits.

What's also odd is that the code reckons that [font=monospace]`~-_=+[{]}|;:'",<.>/?[/font] contains 20 characters.

It should go without saying that my real passwords tend to be a bit longer (the password I use for this site is over 20 characters).