If I created a password that meets strength requirements (16-18 characters, alphanumeric, mixed case, symbols, etc.), why do different websites and apps give different evaluations on its quality?


For example, this password in [Kaspersky Password Strength Checker, Password Strength Meter, and KeepassXC](https://imgur.com/a/JncC5JB) has different results (tried others as well and there’s no consensus).

In short, why is there seemingly no standard measure for password strength?

Edit: Many thanks to all who made me see the light. You’re all MVPs and very much appreciated.

In: 8

Because most of those algorithms basically assume “you have X amount of key strokes, you got these many characters, that’s X^Y combinations, trying them each would take Z long”

This isn’t accurate, true or even useful really. It’s just an easy method to code to encourage longer passwords.

Because “password strength” is a BS concept. If the formula for a password is known, then a probability can be calculated. This concept presumes random guessing. The value judgements like “strong” or “moderate” are not really useful.

> In short, why is there seemingly no standard measure for password strength?

There’s no standard way to crack a password, so there’s no standard way to judge the strength.

One way to crack passwords is to start from a database of known common passwords. If different crackers have different lists of common passwords, they’re going to be more or less likely to crack a given password.

Also, a password becomes significantly weaker if used across multiple different websites. Make sure the password you use for your bank is not used anywhere else. Make sure the password for your email is not used anywhere else (because your email is how you usually reset your other passwords).

There’s a lot more to password security than just the letters in your password.

Imagine a “strong” password of CommonWord1-2-3

Upper, lower, digits, special characters.

Probably would be cracked pretty fast by most algorithms, though.

Ultimately it comes down to information entropy, a concept thoroughly explored by Claude Shannon.

Information entropy is the opposite of predictability. Predictability is bad because something predictable can be guessed. The essence of predictability is in recognizing patterns. Human language is full of patterns and passwords based on language are in turn.

Detecting patterns is a mixed bag. For patterns we know how to recognize we can detect them. When we fail to detect a pattern, is there no pattern or simply a pattern that isn’t obvious? Consider mzqpnxwo as a password: can you spot the pattern?

All of this is to say that a perfect password has no pattern. We can prove that a password has a pattern but we cannot prove that a password has no pattern.