Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of length, complexity, and randomness.However, other attacks on passwords can succeed without a brute search of every possible password. For instance, knowledge about a user may suggest possible passwords (such as pet names, children's names, etc.). Hence estimates of password strength must also take into account resistance to other attacks as well.
The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds:
- Common sequences from a keyboard row：「12345678」、「111111」、「abcdefg」、「asdf」、「qwer」
- Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh
- Identifiers: jsmith123, 1/1/1970, 555–1234, one's username, etc
- Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., including words in non-English dictionaries
- Anything personally related to an individual： license plate number, Social Security number, current or past telephone numbers, relative's or pet's names/nicknames/birthdays/initials, etc.
Choosing good passwords are typically designed to make passwords harder to discover by intelligent guessing. Common guidelines advocated by proponents of software system security is include lowercase and uppercase alphabetic characters, numbers and symbols if permitted