A common question asked is: "What are your minimum password requirements?". Old-school answers would include criteria such as:
min 8 characters
at least one uppercase
at least one special character
at least one number
Unfortunately, most of the time, this yields weak passwords that look like "Password123!". We'd love to see how many folks use "Pizza123!" at their favorite online pizza ordering service!
As evidenced by leak databases, humans are terrible at creating secure passwords. This is because the criteria above, that have been hammered into us for the past 10 years, have only led to hard-to-remember passwords that are easy for computers to guess.
Therein likes LemonadeLXP's criteria: "How long would it take a computer to guess this passphrase?"
Bad Password Patterns | Examples | Is It Memorable? | Time to Crack |
A common word | december | Yes. | 18 milliseconds |
An easily-typed spacial word | qwerty, aaaaaaaa | Very much so. | 10 milliseconds |
The family dog | rusty | Yep. | 27 milliseconds |
An important number, such as a date | 03261981 | To you, certainly. | 2.213 seconds |
A word with a trivial letter to number substitution | s4nfr4n | Not very much | 639 milliseconds |
If your password resembles any of these examples, it is instantly crackable. Even a mix of these patterns such as [common word] + [number] is straightforward to crack.
There's an easier way: Passphrases!
Compare the tough examples above, to a simple passphrase!
Password Pattern | Example | Is it Memorable? | Time to Crack |
Four or more randomly chosen words | mergers decade labeled manager | It can be! Pick words you will remember. Plus, after you type them a few times, they'll stick | 6,000,126 centuries |
Alternate ways to generate great passwords
If you use a recent version of Chrome Safari, the passwords that they automatically generate for you are excellent. If you use the browser-generated passwords, LemonadeLXP will accept them because of their cracking difficulty.
Password managers such as 1Password also generate strong passwords. They use a different pattern (bunch of random characters) that should give adequate security, but are near impossible to remember. Interestingly, passphrases are still better than these terribly obscure passwords.
Password Type | Example | Time to Crack |
Password-manager style, random garbage | p%9y#k&yFm? | Approximately 90,182,663 centuries |
Passphrase | logic finite eager ratio | Approximately 189,658,722 centuries |
How is this time requirement calculated?
We use zxcvbn
, a sophisticated password strength estimator inspired by actual password cracking techniques. Through advanced pattern matching and conservative estimation, zxcvbn evaluates your password against:
30,000 commonly used passwords
Names and surnames from census data
Popular English words from Wikipedia and entertainment media
Predictable patterns including dates, repetitions (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and character substitutions (l33t speak)
For enhanced security, we incorporate your personal information into the verification process. This prevents you from using variations of your own details as passwords (for example, if your name is Jiminy, "Jiminy123" would be rejected as insecure).
LemonadeLXP requires passwords that would take between 10^8 and 10^10 minimum guesses to crack. This approach provides a significantly more accurate security assessment than traditional character-based requirements (like requiring one uppercase letter, one number, etc.).
Rather than focusing on arbitrary composition rules, our system evaluates the actual strength of your password against real-world cracking techniques, ensuring meaningful protection for your account.