Is Microsoft’s “Password Checker” a reliable tool to test the strength of your password?

Microsoft offers a tool called Password Checker. The purpose of the tool is to test the strength of your password as you type. Is Password Checker a reliable tool to test the strength of your password? The answer in my opinion is NO. Microsoft correctly states "It is for personal reference only. Password Checker does not guarantee the security of the password itself. "Microsoft also says about the password that "It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols." Password Checker tests the strength of your password as you type and rates it as one of the following:

1. Weak
2. Medium
3. Strong
4. Best

I performed several tests and discovered that the tool is programmed to look for certain number of characters and certain combinations. It pretty much ignores the length of the password unless you add special characters or mixed-case to the password. Your pass phrase can be over hundred characters long and Microsoft's Password Checker considers it a weak password unless you add at least one special character, which the tool considers Medium. You can use a password cracking tool and easily prove that Password Checker tool is incorrect in determining the actual strength of your password and therefore should not be used.

In the document Strong passwords: How to create and use them Microsoft acknowledges that "Each character that you add to your password increases the protection that it provides many times over." Yet, the Password Checker completely ignores this fact. You can keep adding characters by the dozen and the tool will report that your password is weak. In fact, even if you type a 127-character password (the maximum allowed in Windows) in all lowercase the tool will report it as a weak password because you didn't include an uppercase character, which makes no sense. According to the tool, adding one uppercase character to a 126-character password makes the password's strength Medium. So the built-in logic in the tool is questionable. There are lots of other tools available that are more reliable to test your password strength.

Microsoft suggests the password should be 14 characters or longer. I suggest you use a pass phrase that is 15 characters or longer, as I explain in this article How Secure Is Your Password?. According to Microsoft security experts that I have talked to, if your password is 15 characters or longer it is not necessary to have a combination of alphanumeric, uppercase, lowercase and special characters in your password. I explain why in my article I just mentioned How Secure Is Your Password?. Of course, if you add any special characters or numbers you only strengthen your password.