What is the best way to check the strength of a password?

Question

What is the best way of ensuring that a user supplied password is a strong password in a registration or change password form?

One idea I had (in python)

<         


        

Answer 1

Password strength checkers, and if you have time+resources (its justified only if you are checking for more than a few passwords) use Rainbow Tables.

Answer 2

What is the best way of ensuring that a user supplied password is a strong password in a registration or change password form?

Don't evaluate complexity and or strength, users will find a way to fool your system or get so frustrated that they will leave. That will only get you situations like this. Just require certain length and that leaked passwords aren't used. Bonus points: make sure whatever you implement allows the use of password managers and/or 2FA.

Answer 3

Depending on the language, I usually use regular expressions to check if it has:

• At least one uppercase and one lowercase letter
• At least one number
• At least one special character
• A length of at least six characters

You can require all of the above, or use a strength meter type of script. For my strength meter, if the password has the right length, it is evaluated as follows:

• One condition met: weak password
• Two conditions met: medium password
• All conditions met: strong password

You can adjust the above to meet your needs.