Are password strength meters up to the task?

In Information Security ByTeam Acumin / 9th September 2016

Password strength meters are designed to help users create strong secure passwords, but many are easily fooled and leave people with a false impression of how strong their passwords are.

When users sign up for a new site, they are often greeted with a password strength bar. These are supposed to measure the strength of the password from the weakest to the strongest., but what are these meters actually measuring?

How password meters work

Most password checkers measure the length of the password. The more letters and digits in a password, the stronger it will score on the password meter. Some passwords require a mixture of lower, uppercase, numerical characters and symbols for the password meter to check.

The next thing that password meters assess is known as ‘entropy’. This is a measure of the passwords ability to withstand a brute force attack from password cracking software, which bombards the site with many thousands of possible passwords.

Where password meters fail

Mark Stockly, writing on the Sophos cyber security website Naked Security, tried an experiment with password meters using five passwords that are easy to crack:

abc123
trustno1
ncc1701 (Star Trek fans should recognise this one!)
iloveyou!
primetime21

These passwords are not particularly long and include dictionary words rather than random letters. A password cracking program will easily guess them in less than a second.

Stockly then entered each password in five different sites that used password meters. Results were mixed, but all passwords were rated as good on at least one of the strength meters. The mixed results meant that the password meters did not agree. Though four rated abc123 as weak, one judged it as good, even though it is the 14th most commonly used password.

Concordia University researchers in Montreal confirmed the inconstancies between different meters. They wrote:

“In our large-scale empirical analysis, it is evident that the commonly-used meters are highly inconsistent, fail to provide coherent feedback on user choices, and sometimes provide strength measurements that are blatantly misleading.”

The answer

Though password meters leave a lot to be desired, research by Microsoft found that just the presence of a password meter meant that people thought more about the password they entered and were inclined to pick more difficult ones.

Ideally, you should use randomly generated passwords that contain no dictionary words, but the downside to this is that they are hard to remember.

WordPress recommends passphrases that are easy to remember but more difficult to crack. These should not make logical sense, but still be easy enough to remember, such as ‘copy indicate trap bright’.

Two-step verification is a way to make logging on more secure. Microsoft often sends a code via email or text message that must be entered in addition to the password to gain access to a Microsoft account. Some online banking systems have a gadget that a bank card is inserted into to generate an entry code to the banking website. Others sites have smartphone apps to generate codes. Eye recognition and fingerprint verification system are another way for sites to avoid passwords, and there may come a day when we look back with incredulity at how flimsy password protection truly was during the 2010s.