A password, that contains: + at least one capital letter, + at least one small l

Question

A password, that contains:

+ at least one capital letter,
+ at least one small letter,
+ at least one number and
+ at least one non-alphanumeric character,

is considered moderate to strong (sometimes even very strong) on all systems, that I've been using so far... except Wordpress, where it is considered very weak.

What am I missing here? Am I dreaming, that password like above are at least moderate, while they're actually very weak (and person, who made Wordpress Network's password strenght meter is right) or someone at Wordpress has passed some borders and is treating moderate passwors as very weak, while they're actually moderate?

Explanation / Answer

There are different ways to measure password strength. Most sites probably do as you think, which is some formula that takes into account special characters, capital letters, numbers, etc. and the combination thereof. Another way, which it sounds like WordPress might employ, is measuring password strength by entropy.

In information theory, as the linked Wikipedia article says, "Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss."

You can test whether WordPress works in this manner by gauging how strong it calls your password as you simply make it longer (they probable include bare minimum length and complexity). It is actually quite likely they are using a hybrid version of these.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.