Password strength function

Started by ., Apr 10, 2017, 10:06 PM

Previous topic - Next topic

.

This was a request by someone and as the title says it's meant to make show how hard is a password to brute-force. It takes into account character diversity, repetition, succession and size to generate a strength score.

But what do I mean by that? Well, this is what I mean:
  • diversity: Is meant to award passwords that contain lowercase and uppercase letters as well as digits and symbols. More diversity means a greater score. Examples:
    • h%s4(k&^s yields a score of 45 (the following, even though not as diverse as this one, are awarded by the size and succession checks)
    • s62h356fs yields a score of 36
    • 374652942 yields a score of 32
    • ajshwfown yields a score of 41
  • repetition: Is meant to punish passwords that have repeating characters. Examples:
    • aabbccdde yields a score of 11
    • aaaaaaaaa yields a score of -4
    • 882222999 yields a score of 21
    • %%%^&&&(( yields a score of 23
  • succession: Is meant to punish passwords that contain successive characters. Examples:
    • abcdefghi yields a score of 3
    • 123456789 yields a score of 3
    • !"#$%&() yields a score of 7
    • abc123xyz yields a score of 22

As you can see, passwords that have a score greater than 10 are likely to be harder to brute-force. And those with scores greater than 20, 30, 40 are right there on the insane scale. Length also plays an important role.

What this doesn't check for, are dumb passwords like "passwords", "qwertyui", "asdfghj", "mypass". For these things, you must implement your own rainbow-table and do a manual check. There's only so much that a function like this can do.

Anyway, here's the snippet:
function PasswordStrength(p)
{
    // Ignore empty or dumb passwords
    if (!p || p.len() <= 1) return -999;
    // Preallocate all variables upfront
    local d = 0, u = 0, l = 0, s = 0, r = 0, a = array(0xFF, 0), t = p.len();
    // Classify characters
    foreach (c in p)
    {
        // Count repetition
        if (++a[c] > 1) ++r;
        // Count diversity
        else if (c >= '0' && c <= '9') ++d;
        else if (c >= 'A' && c <= 'Z') ++u;
        else if (c >= 'a' && c <= 'z') ++l;
        else if (c >= ' ' && c <= '/') ++s;
        else if (c >= ':' && c <= '@') ++s;
        else if (c >= '[' && c <= '`') ++s;
        else if (c >= '{' && c <= '~') ++s;
    }
    // Score diversity
    if (d > 0) t += d; else t -= 2;
    if (u > 0) t += u; else t -= 2;
    if (l > 0) t += l; else t -= 2;
    if (s > 0) t += s; else t -= 2;
    // Score repetition
    if ((p.len() - r) < 3) t -= r; else t += p.len();
    // Score succession
    for (local i = 2, j = p[0], k = p[1], x = abs(k - j), o = (x == 1).tointeger(), n = p.len();
            i < n;
            j = k, k = p[i], ++i, x = abs(k - j), o += (x == 1).tointeger())
    {
        if (x == 1) {
            if (o > 2) t -= 3;
            else if (o > 1) t -= 2;
            else if (o > 0) t -= 1;
        } else if (x > 3) t += 3, o = 0;
        else if (x > 2) t += 2, o = 0;
        else if (x > 1) t += 1, o = 0;
    }
    // Return resulted score
    return t;
}

NOTE: This is a dumb algorithm made on the fly. No books or guides were hurt in the process. Therefore, it may have weaknesses and is far from perfect. But it's something.
.

Sebastian

The only server I've seen with such a feature is @Drake 's XE Server.
Great release! Maybe players will be influenced by the result of their pass strength, and make it harder to guess.

vito

Cool feature, but in fact, it's just vc-mp, I use password 121212 or 123123 for almost all servers and I don't really care about my accounts there. I do not want to servers forcing me to storing normal password to just play there (storing - because I even not will try to remember it).

.

Quote from: vito on Apr 11, 2017, 05:28 AMCool feature, but in fact, it's just vc-mp, I use password 121212 or 123123 for almost all servers and I don't really care about my accounts there. I do not want to servers forcing me to storing normal password to just play there (storing - because I even not will try to remember it).

You say that because you play on servers where the database is dropped every few days when some magic thing happens and the dev either failed at migrating changes or didn't know how. So it was easier to start from scratch.

What I'm saying is that you're playing mostly on servers where a database is just a joke and not there to stay. Therefore, it would be useless to care about an account.

But if the situation were to be different. You'd care to not have your account broken. And you'd b!tch about it to the owner if that happened.

Either way. That's your choice and your problem. Not mine.
.

vito

Quote from: happymint on Apr 11, 2017, 05:33 AMBut if the situation were to be different. You'd care to not have your account broken. And you'd b!tch about it to the owner if that happened.

Either way. That's your choice and your problem. Not mine.
Not really, if my account would be hacked there (it never was before) I will just create new one.

The promblem is everyone thinks his server is awesome and need to force players to use strong passwords (like XE for example). So I used random password for it and even not remeber it and now if I would want to play there I have to register new account.
Mainly it's a good feature as a tip for player if it allows to use simple passwords.

Sebastian

Quote from: vito on Apr 11, 2017, 05:51 AMMainly it's a good feature as a tip for player

Totally agree. This is why I used the word "influence".

Quote from: sseebbyy on Apr 10, 2017, 11:41 PMMaybe players will be influenced by the result of their pass strength, and make it harder to guess.

Players shouldn't be forced to write a harder password, but only be warned about how good/bad is their pass.