Theia installation has been updated - September 10, 2011
sikosoft
home
web design
programming
who we are
contact
projects
theia
dsx
documentation »
feature explanations
for developers
reference
troubleshooting
tutorials
theia »
about
documentation
download
videos
other downloads »
fonts
perl scripts
php scripts
feedback »
bug tracker
requests
Theia
password_strength() « documentation » for developers
posted by: Lev
view all "documentation" items by Lev
icon
Please help strengthen our documentation by rating items on how helpful they are, and by suggesting documentation, that we are missing and should focus on next.
posted on 16:27 - 30 June 2009 | posted by Lev
last modified on 14:13 - 01 September 2009 | last modified by Lev

Path: DIR_LIB/password_strength.php

Purpose: To determine how secure a given password is.

Arguments: 1: string $word

Return Value: integer - from 0 through 9

Notes: This function works by accepting a string, $word, and then running various checks on it awarding points for different aspects. A total of 200 points are given for six different elements:

Length of string

Up to 40 points will be awarded based on how long the string is. Each character earns four points, meaning if the password string was six characters long, then it would earn 24 points for its length. If the password is 15 characters in length, then it would earn 40 points for its length and not 60 (since only 40 points can be awarded here).

Unique characters in string

Up to 40 points will also be awarded based on how many unique characters are used within the string. Each unique character earns four points, meaning if the string "test" was used, it would receive 12 points (since it has three unique characters as "t" appears twice). Again, only up to 40 points will be dispersed based on the number of unique characters.

Percentage of unique characters in string

Once again, up to 40 points will also be awarded based on how the percentage of how many unique characters are used out of the total number of characters used within the string.

Here, the method for calculating the number of points to disperse is a bit different. The formula is:

$unique / $length * 10 * ($unique / 2)

... where $unique is the number of unique characters in the string, and $length is the total number of characters in the string.

Percentage of number characters in string

Depending on how many numerals are used in the string, up to 20 more points will also be awarded. The formula for calculating the number of points awarded for the percentage of characters goes like this:

  • If between 30 and 39 percent of the given string are numerals, then five points are earned for each numeral.
  • If between 40 and 49 percent of the given string are numerals, then four points are earned for each numeral.
  • If between 50 and 59 percent of the given string are numerals, then three points are earned for each numeral.
  • If between 60 and 69 percent of the given string are numerals, then two points are earned for each numeral.
  • If the percent of the number of numerals out of the given string is different outside the range of any of the above percentages (meaning the percentage falls within either 0-29% or 71-100%), then only one point is earned for each numeral.

As you can see, a higher ratio of points are earned for getting as close as possible to within 30 and 39%; This is because a password is harder to crack a password when the percentages of lower case letters, upper case letters and numbers are all as close as possible. This means the password consists of roughly just as many lower case, upper case and number characters.

Percentage of lower case characters in string

Again, 20 more points are awarded for the percentage of lower case characters in a string, and the formula for dispersal is the same as for the percentage of numerals.

  • If between 30 and 39 percent of the given string are lower case characters, then five points are earned for each lower case character.
  • If between 40 and 49 percent of the given string are lower case characters, then four points are earned for each lower case character.
  • If between 50 and 59 percent of the given string are lower case characters, then three points are earned for each lower case character.
  • If between 60 and 69 percent of the given string are lower case characters, then two points are earned for each lower case character.
  • If the percent of the number of lower case characters, out of the total in the given string, is outside the range of any of the above percentages (meaning the percentage falls within either 0-29% or 71-100%), then only one point is earned for each lower case character.

As you can see, a higher ratio of points are earned for getting as close as possible to within 30 and 39%; This is because a password is harder to crack a password when the percentages of lower case letters, upper case letters and numbers are all as close as possible. This means the password consists of roughly just as many lower case, upper case and number characters.

Percentage of upper case characters in string

Additionally, 20 points are awarded for the percentage of upper case characters in a string, and the formula for dispersal is the same as both for the percentage of numerals and the percentage of lower case letters.

  • If between 30 and 39 percent of the given string are upper case characters, then five points are earned for each upper case character.
  • If between 40 and 49 percent of the given string are upper case characters, then four points are earned for each upper case character.
  • If between 50 and 59 percent of the given string are upper case characters, then three points are earned for each upper case character.
  • If between 60 and 69 percent of the given string are upper case characters, then two points are earned for each upper case character.
  • If the percent of the number of upper case characters, out of the total in the given string, is outside the range of any of the above percentages (meaning the percentage falls within either 0-29% or 71-100%), then only one point is earned for each upper case character.

As you can see, a higher ratio of points are earned for getting as close as possible to within 30 and 39%; This is because a password is harder to crack a password when the percentages of upper case letters, upper case letters and numbers are all as close as possible. This means the password consists of roughly just as many upper case, upper case and number characters.

Common password database check

Finally, there is a check to see if the string is found in the common password database. Unlike any of the other aspects of a point dispersal, this is the only one in which points may be subtracted from.

If the string is found in the common password database, then it will lose 100 points, which means immediately the highest number of points out of 200 it can then get is 100. If the string is not found in the common password database, then 20 points are earned.

How the return value is calculated

As stated earlier, 200 points are possible throughout the whole check on the string. The password strength return value is dependent solely on the percentage of points earned out of 200. The score returned is the first integer from the percentage of total points.

For example, if a string earned 140 points, then the password's strength is 7 (as 140/200 = 70%). Even if the score was 145, the end result would still be 7 (as the return value is only the first integer of the percent; 145/200 = 72.5%)

tags
secure password password password strength documentation passwords safety security theia development developers
post reply
Bookmark item @
bookmarkbookmarkbookmarkbookmarkbookmark
print view | email this page to a friend | view last visits
theia | donate | services | terms of use | contact
Powered by Theia v1.0.0.
Copyleft 2010 SikoSoft. All wrongs reserved.