I've had this idea bumping around in my head for a while - I want to make the sort of password strength calculator that I'd find actually useful:
- You select a password-generation method (eg, 5d6 word lists, 4d6 word lists, MacOS Keychain's "Memorable password" mode, random letters and numbers, random letters and numbers and symbols, etc)
- You select strength parameters for that password-generation method (how many words are you rolling, how many characters are you randomly generating, etc)
- You select what this password is getting used for - is this a full-disk encryption password, a website login password, etc. The tool would do its best to present easy-to-understand options for common scenarios, but you can also just select a specific hash algorithm if you want.
- The tool calculates how many bits of entropy your password has, and then estimates how much money it would cost to crack that password, given currently-available computing hardware, electricity prices, etc. (idk exactly how it would calculate the cost of online attacks on website passwords, but I'm sure there's some sort of reasonable way to estimate either a time cost or a money cost?)
- You can also work backwards, and calculate the minimum value for the strength parameter in order to achieve a particular target cost.
Basically, tools that just analyze a particular password and use heuristics to guess its complexity aren't that useful, especially since a lot of my passwords are extremely high-entropy sequences of nothing but lowercase letters1. Ultimately, there's no such thing as a secure password in the abstract, there are only secure password-generation methods. And even then, just knowing how many bits of entropy my password has isn't that useful, if I only have a vague sense of what that means in practical terms. And tools that estimate how much time it'd take to crack a password elide a whole lot of assumptions about how the password is being hashed, who's trying to crack it, and what kind of hardware they have. I think the best way to actually get a broadly-useful metric of password strength is to estimate how many dollars of electricity or cloud compute time it'd take to crack it; if your adversary has more resources to throw around, maybe they'll run more processors in parallel, but it'll still cost them proportionally more. And then I can look at the output and say, OK, it would cost $300 million USD to crack an scrypt hash of this 6-word passphrase, that's safe from the kinds of threats it's reasonable for me to worry about.
For calculating costs, so far I've found
- hashcat benchmarks for an AWS p3.16xlarge instance ($8.39/hour at long-term pricing)
- hashcat benchmarks for an Nvidia RTX 4090 GPU (450 watts)
- Statistics on global electricity prices (looks like 25th percentile is around $80 USD/MWh?)
It seems like the RTX 4090 is more cost-efficient for most of the hashes that are in both benchmarks, but there's a few where the AWS instance does a lot better, probably to do with memory-hardness or something?
Also, I'm learning how awesome the units CLI tool is:
You have: (8.39 USD per hour) / (9296.6 kilohashes per second) * 2^60 hashes
You want: million USD
* 289.02476
I figured out how to edit my .units file to add "hashes" as a new primitive unit so I could write out the calculations more easily. It's a really clever program with a lot of fun features, there's just something really satisfying about dimensional analysis :)
Ultimately, if I end up finishing this, it'll probably look like a static webpage that does all the math client-side with vanilla JS. It could even provide an option to actually generate passwords, if there's a good secure source of randomness and if the user trusts my code :p
-
My preferred method (for passwords I actually need to memorize) is to roll words from a 4d6 word list where each word has a distinct three-letter prefix. I have the full words as a mnemonic, but I just string together the first three letters of each word as the password I actually type in - like, I roll "correct horse battery staple", so my password is
corhorbatsta, with about 3.4 bits of entropy per letter. For passwords I don't need to memorize, I just have my password manager generate a long random string of letters/numbers/symbols.