The meters are designed to help users understand if their password choices will resist attempts to crack them.
The trouble is, they don’t quite do that.
The Theory
The best way to determine how difficult it is to crack a password is to try doing just that.
But attempting to crack passwords requires lots of time and lots and lots of processing power, and it isn’t a practical solution for websites.
The next best option is to try to work out what characteristics passwords that are difficult to crack share, and to check for those instead.
Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example.
That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.
A brute force attack assumes that all guesses are equally good.
The reality is that some guesses are far better than others because our password choices are not random – they’re underpinned by patterns and habits.
Modern password cracking is about making smart guesses in the order that’s most likely to yield the greatest number of cracked passwords for the least effort.
Attackers can feed their cracking software with huge repositories of real words and then create rules to modify those words in the same way we do when we create passwords.
They know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them. They know that we use 0s instead of Os and 4s instead of As, and they know that we tend to put our upper case letters, special characters and numbers at the beginning and end of our passwords.
