Something I was playing around with for a tool to roughly calculate the difficulty of guessing a password, just based on types of characters uses and the length of the password. (I.e., it does not try to consider things like dictionary words versus random strings, most commonly used characters, etc.)

/**
 * Calculate the complexity of a password as the possible permutations
 * for the types of characters used and the password length. Does not
 * consider things like dictionary words, common patterns, et cetera
 * 
 * @param string $password
 * @return string (Numeric string from BCMath calculation)
 */
function PasswordComplexity($password)
{
    if(strlen($password) < 1) 
    {
        return '0';
    }
    $charsets = array(
        '/[a-z]/' => 26,
        '/[A-Z]/' => 26,
        '/\d/' => 10,
        '/[^a-zA-Z0-9]/' => 10, // kludge for any other characters!
    );
    $chars = 0;
    foreach ($charsets as $regex => $num)
    {
        $chars += preg_match($regex, $password) ? $num : 0;
    }
    return bcpow($chars, strlen($password));
}
    im_dalecosp;11057053 wrote:

    Proving XKCD right, I see!

    Yep.

    'Tr0ub4dor&3':
  269561249468963094528
'correcthorsebatterystaple':
  236773830007967588876795164938469376

    🙂

    Sometimes size does matter. 😉

      Hey, if you're a mod can you approve my post in Feedback? (Maybe you're not ...)

        im_dalecosp;11057059 wrote:

        Hey, if you're a mod can you approve my post in Feedback? (Maybe you're not ...)

        I'll copy/paste it into the private team forum here, just to keep that stuff out of the public eye.

          Heheh, thanks. Perhaps I should remove my avatar ... 😉

            I posted in the team forum and moved your Feedback thread to our ultra-secret, if-I-told-you-I'd-have-to-shoot-you forum. Hopefully an admin will fix things or be in contact with you soon.

              6 months later

              Hey, he did! It took some back-and-forth, but I got my account back. Special thanks to Brad Jones at Quinstreet ...

              I just thought I'd post here and tell you that, Nog! im_dalecosp

                And since the thread was moved, I can't click "Resolved", but please do know Brad Jones that your hard work is appreciated!! 🙂

                  7 months later
                  $ret = PasswordComplexity( 'zM4(g:Il' );
echo $ret;
echo '<br>';
echo strlen($ret);

                  I like this script.

                  As you can see I display the length of the result.
                  This gives a better way to compare different results.
                  Gives the number of digits in result.
                  In this case length is 15 digits.

                    [man]log10[/man] would be more accurate.

                      Hmm.

                      # tail -f -n1 /var/log/php_error_log
[29-Sep-2017 09:56:17 America/Chicago] PHP Fatal error:  Call to undefined function bcpow() in /usr/home/admin/scripts/pass_test on line 34

#php -v
PHP 5.6.25 (cli) (built: Sep  8 2016 11:46:53)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

                      Anyone know what's up with that?

                        dalecosp;11064077 wrote:

                        Hmm.

                        # tail -f -n1 /var/log/php_error_log
[29-Sep-2017 09:56:17 America/Chicago] PHP Fatal error:  Call to undefined function bcpow() in /usr/home/admin/scripts/pass_test on line 34

#php -v
PHP 5.6.25 (cli) (built: Sep  8 2016 11:46:53)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

                        Anyone know what's up with that?

                        Nevermind. I am ROOT!!!! 😃

                        sudo pkg install math/php56-bcmath

                        :rolleyes:

                          Weedpacket;11064073 wrote:

                          [man]log10[/man] would be more accurate.

                          I don't want to doubt, but you mean using log10 in place of bcpow?

                          If so, can you help then to explain (when you have time), the following?

                          $s = "correct horse battery staple";
$t = "yBKcTR98";
echo "Complexity of 's': " .PasswordComplexity($s);
echo "\nComplexity of 't': " .PasswordComplexity($t);

                          Complexity of 's': 1.5563025007673
Complexity of 't': 1.7923916894983

                          XKCD is wrong?

                            No, log10 in place of strlen; ceil(log10($ret)) being equivalent to strlen($ret).

                              I have been searching for Password Strength testers for a few days.
                              There are many, but most of them are doubtful in the result.

                              But now I have finally found a good one:
                              http://rumkin.com/tools/password/passchk.php
                              He gives the result as an Entropy value.
                              I recommend that one!

                                Let's just say, what with my phone having a virtual keyboard and all, on it I use passwords like "&#127807;4Go2&#128719;" (though that of course isn't one of them).

                                  Weedpacket;11064133 wrote:

                                  Let's just say, what with my phone having a virtual keyboard and all, on it I use passwords like "&#127807;4Go2&#128719;" (though that of course isn't one of them).

                                  The result of your password, Weedpacket,
                                  using the password tester in my post above:

                                  Length: 8
                                  Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
                                  Entropy: 38.8 bits
                                  Charset Size: 222 characters

                                  What is noticable is the charset used in the password.
                                  It has so many chars as 222.

                                    Length 8, huh? I only count six characters: "&#127807;", "4", "G", "o", "2", and "&#128719;". Of course, JavaScript counts the first and last as two each.

                                    The character set was determined as: 26 upper case letters, 26 lower case letters, 10 digits, and 160 characters from outside printable ASCII (i.e. characters 0x00 through 0x1f inclusive, and 0x7f and 0xff inclusive). But &#128719; for example, is represented by the two characters 0xd83d and 0xdecf, both obviously outside those ranges. The program should have counted the length as ten characters, for an entropy of 47.9 bits.

                                    What's also odd is that the code reckons that [font=monospace]`~-_=+[{]}|;:'",<.>/?[/font] contains 20 characters.

                                    It should go without saying that my real passwords tend to be a bit longer (the password I use for this site is over 20 characters).

                                      Write a Reply...