The Top 6 Password Strength Checkers and Validation Tools

The Top 6 Password Strength Checkers and Validation Tools

What are the top 11 password strength checkers and validation tools? Why should you use them in your enterprise? How can you incorporate them into your identity and access management policies? Finally, what strategies and capabilities can you adapt to facilitate your password strength while employing checkers?

Currently, password strength checkers and other validation tools flood the web. However, with this bounty of available tools come new challenges. Enterprises need to determine which tools they can trust with their potential and current credentials. Additionally, they also need to understand what these tools can teach their employees about their identity management.

We compiled 6 password validation tools which we consider secure for your identity management strategies. We explore them in-depth below. 

Best Practices for Password Strength Checkers

Before you use password strength checkers, you need to understand a critical aspect of identity and access management: password best practices. After all, what good is a password validation tool if you don’t know how to compose a strong password?  

Critically, most password strength checkers judge credentials based on two key factors: strength and complexity. The longer the password, the more time a cracking program requires to uncover it. A password of twelve characters proves far more secure than a password of eight characters. Therefore, your enterprise should mandate minimum passwords of at least ten characters and allow for longer ones.   

As for complexity, most users know the general requirements: include letters both upper and lower case, numbers, and punctuation. However, most identity and password experts recommend not using sequences in your passwords; hackers’ cracking programs can identify patterns easily and exploit them. Plus, using phrases and sentences often prove easier to remember and stronger for cybersecurity.  

Other password security best practices include:

Don’t Allow Repeated Passwords

Often, this proves easier said than done; many employees feel overwhelmed by the number of passwords they must remember to perform their jobs. Regardless, employees should never repeat passwords in either their professional or personal lives. More importantly, they should never cross-use their credentials.

The more a password appears across the web, the more likely it ends up in hackers’ hands through other breaches. With these, hackers can conduct largely successful credential stuffing attacks.

Don’t Allow The Sharing of Passwords

This remains a persistent problem across enterprises of all sizes. Employees can and will share their passwords with others; often they do so to facilitate business processes and efficiencies. Of course, this leads to more insider threats and a loss of control over users’ access. Put severe penalties in place for sharing passwords.

Additionally, forbid employees from writing down their passwords, either on physical paper or in document applications. That almost always leads to significant issues in the long term.   

Don’t Incorporate Personal Information into Your Passwords

Stereotypically, birthdays often end up in users’ passwords. However, this precept extends further than that. Social media research and other kinds of open personal information allow hackers to conduct significant research on their targets with minimal efforts. Obviously, this allows them to inflict subtler social engineering and phishing attacks.

Less obviously, hackers can use this information to guess users’ passwords. Usually, users create passwords they can remember easily which means drawing on their interests.    

Remember Password Expiration Policies Don’t Work

Although many cybersecurity and identity management providers only now recognize the futility of password expiration policies. In fact, they can actually cloud your identity security protocols, as it creates more long term confusion.

Instead, identity management experts believe it better to mandate strong passwords and secure them rather than constantly expire them.

Secure Privileged Access Accounts as Well

All of the precepts described above apply equally to privileged users and regular ones. In fact, they may apply more to the former; hackers tend to target privileged access credentials more than regular ones because of the network power they wield.

At the same time, privileged users are subject to the same identity foibles as their regular counterparts.  

Select a Next-Gen Identity and Access Management Solution

Only modern identity security solutions can provide the necessary password security capabilities to survive in the modern digital landscape. Legacy identity solutions remain behind the time both in terms of threat intelligence and capabilities.

The Top 6 Password Strength Checkers and Validation Tools

Of course, you should only use password strength checkers which you can trust. Obviously, a trustworthy validation tool should never store your passwords in any capacity; they should only process your passwords in the browser. Again, you should never input your password into sites you don’t trust.

Another important note is that almost all of these password strength checkers and validation tools call themselves educational tools; they provide non-binding advice and exist primarily to help users understand what they need to improve their passwords.

Therefore, you should use these password strength checkers as intended—to demonstrate why typical passwords don’t suffice in modern identity management. Provide them to your employees to help them determine how best to write strong passwords and push them away from weaker ones. Additionally, you can use them to help you formulate your own password policies.     

We cultivated a clear list of password vaults we believe to be secure. However, you should do your own evaluation of these sites to ensure your users’ credentials’ safety.  

1. Have I Been Pwned?

Rather than operating like other straightforward password strength checkers, Have I Been Pwned? actually determines whether a particular email account has been exposed.

“Have I Been Pwned?” details the breach information in which the account appears and what information became exposed in those breaches. It can provide a strong wake-up call to users to change their passwords if they suffered a breach.

2. Comparitech Password Strength Test

The Comparitech Password Strength Test provides a strong baseline for other password strength checkers. For example, the test can demonstrate how long hackers need to crack the inputted password.  

This test evaluates passwords based on complexity, length, and can determine whether the password appears in the list of most commonly used passwords. As a bonus, this test hashes the passwords automatically, which isn’t always the case.

3. My1Login Password Strength Test

Much like the password checker above, the My1Login Password automatically hashes the password inputted; this helps establish trust with the validation tool. Also, it too gives an estimate on the time needed to crack the password.

However, My1Login offers much more conservative timeframe estimates. A super complex password labeled as 13 sextillion years to crack only requires hackers two years to crack, according to this tool. If anything, this could be a sobering reminder on the relative security of passwords.   

4. Thycotic Password Strength Checker

The Thycotic Password Strength Checker can also recognize the most common passwords and warns against them. Further, it can identify dictionary words, recognizes repeated patterns of characters, and suggest ways to improve password strength.

5. LastPass: How Secure Is My Password?

From one of the most prominent of password managers, we wanted to include LastPass to emphasize the potential of password management. Such tools when paired with other identity and access management solutions can help employees deal with the myriad password demands of their day-to-day business processes.

6. JavaScript Password Strength Checkers Code

Instead of using external password strength checkers, your enterprise could design your own using Javascript. This page outlines the steps to make your own password checker, with plenty of flexibility so it fits with your IT infrastructure.

What You Can Learn By Using Password Strength Checkers

Beware Dictionary Attacks

One of the first tools hackers use? A dictionary tool.

Yes, with a dictionary tool hackers can recognize and crack concrete words found. This explains why a one-word password is never, ever the right call.  

Replacing Characters May Not Work

Remember when replacing an “E” with a “3” was the pinnacle of password security? That is no longer the case. Most hacking tools can recognize these character substitutions. Instead, you should consider several words (with spaces in between) in a row and numbers spread throughout.  

It’s Time For Multifactor Authentication

Even with the incorporation of these password strength checkers, single-factor authentication still leaves your enterprise vulnerable.

Hackers can crack any password—it may take significant time, but they can. Moreover, they could always steal passwords via social engineering.

Also, employees can’t always be trusted to follow identity and access management best practices even if you direct them to these password strength checkers and validation tools. They could still end up too overwhelmed by passwords and end up repeating or simplifying them.

Thus, your enterprise needs to embrace the potential of multifactor authentication. Incorporating other factors takes a lot of the weight off passwords, and confounds hackers far more. You can learn more about MFA here.

All in all, password strength checkers offer plenty of insights into passwords. But what matters is how you incorporate your passwords into your overall cybersecurity. They should serve as one pillar of your identity security, but it shouldn’t support the whole house.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner