There is no way to tell if a password is strong since it may be reused.
Instead services should provide a random password so the strength can be known.
For example, this is a 128 bit password: CR4EOJ5ZYQRKCGQV4OLN2ZRFS.
Since that is a random number provided by the service it has a guaranteed strength of 128 bits.
Some in this thread seem to gloss over a vital point: security is measured in bits.
The whole character set stuff, "this many characters, special character, must include a number" is meaningless. Instead, a target strength in terms of bits should be specified. That can be represented in whatever base or alphabet as desired. This tool help makes that point: https://convert.zamicol.com/#?inAlph=0123456789ABCDEFGHIJKLM...
> There is no way to tell if a password is strong since it may be reused.
Very good point. From that perspective any reported strength can be extremely misleading.
As far as bits go, this is where I get a bit lost. Calculating the number of bits only makes sense if the attacker knows what your character set is. Otherwise they will need to iterate over the full set of characters.
So a 20 character password of Xs and Ys is just as strong as a 20 character password with lowercase, uppercase, digits, and 10 symbols (72 options) as far as I can tell.
The other issue is, even if I have the entropy of the password I don’t know what “strong” really means. Presumably something like logarithm > some value, but that value also seems completely arbitrary.
If a service didn't want to store 124 _bytes_ in a database to represent the above base 2 password, it can use a hashing algorithm to like SHA256 to reduce the storage requirements to 32 bytes. The password still has 124 _bits_ of entropy even though 256 bits are stored.
>Calculating the number of bits only makes sense if the attacker knows what your character set is.
Assume that the attacker knows the character set in both cases, as this is the worse case scenario. The equivalence is then apparent.
Instead services should provide a random password so the strength can be known.
For example, this is a 128 bit password: CR4EOJ5ZYQRKCGQV4OLN2ZRFS.
Since that is a random number provided by the service it has a guaranteed strength of 128 bits.
Some in this thread seem to gloss over a vital point: security is measured in bits.
The whole character set stuff, "this many characters, special character, must include a number" is meaningless. Instead, a target strength in terms of bits should be specified. That can be represented in whatever base or alphabet as desired. This tool help makes that point: https://convert.zamicol.com/#?inAlph=0123456789ABCDEFGHIJKLM...