Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.

Password strength testing is a safe computer science project that shows how different password choices affect security. Students can compare passwords by changing variables such as length, character types, and the use of common words. The goal is not to break into accounts, but to understand why strong passwords protect personal information.

A classroom project can use sample passwords only, never real passwords from students or family members.

A simple Python script or a reputable online password checker can estimate strength by calculating the size of the possible search space. The main idea is entropy, which measures how many guesses an attacker might need if they had to try possibilities systematically. Longer passwords and larger character sets increase the number of possible combinations very quickly.

Dictionary words, repeated patterns, and predictable substitutions reduce real strength because guessing tools often try them early.

Key Facts

  • Search space = N^L, where N is the number of possible characters and L is password length.
  • Entropy in bits = log2(N^L) = L log2(N).
  • Estimated crack time = search space / guesses per second.
  • A 12 character password from 94 printable keyboard symbols has 94^12 possible combinations.
  • Adding length usually improves strength more than simply replacing letters with symbols in a short password.
  • Never test or collect real passwords in a school project. Use made-up examples only.

Vocabulary

Entropy
Entropy is a measure of how many possible guesses a password could require, often measured in bits.
Character set
A character set is the group of symbols allowed in a password, such as lowercase letters, uppercase letters, digits, and punctuation.
Dictionary attack
A dictionary attack is a guessing method that tries common words, names, phrases, and known password patterns.
Brute force attack
A brute force attack is a guessing method that tries every possible combination from a chosen character set.
Passphrase
A passphrase is a longer password made from several words or wordlike parts, often easier to remember and stronger because of its length.

Common Mistakes to Avoid

  • Using real passwords in the project is unsafe because it can expose private information. Always use invented sample passwords that are not connected to any account.
  • Counting only character variety is misleading because a short password with symbols can still have a small search space. Include length and character set size in the calculation.
  • Treating dictionary words as fully random is wrong because guessing tools often try common words and phrases first. Mark passwords with common words as weaker than their raw entropy may suggest.
  • Reporting one exact crack time as guaranteed is misleading because speed depends on the attack method, hardware, and whether the password is hashed securely. Present crack time as an estimate based on stated assumptions.

Practice Questions

  1. 1 A password uses only lowercase letters, so N = 26. If the password length is 8, calculate the search space using search space = N^L.
  2. 2 A 10 character password is chosen randomly from 62 possible characters. Estimate its entropy using entropy = L log2(N), with log2(62) approximately 5.95.
  3. 3 Two passwords are being compared: Summer2024! and river cloud lantern marble. Explain which is likely safer in practice and why, considering length, predictability, and dictionary patterns.