Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Password strength meters promote piss-poor paswords

You had one job ...

Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley.

Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection.

Stockley (@MarkStockley) revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords.

"You can’t trust password strength meters on websites," Stockley says.

"The passwords I used in the test are all, deliberately, absolutely dreadful … they’re chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate."

The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on clichés.

Stockley picked popular passwords he suspected the tested meters would approve but which are easily guessable.

Several password strength meters considered "abc123", "trustno1", "ncc1701" (the registration number of the USS Enterprise), "iloveyou!" and "primetime21" acceptable.

Yet all fell to a popular open source password-popper John the Ripper in under a second.

Stockley also brought in the best password meter, known as zxcvbn and used by Dropbox and WordPress, as a ringer, to show "what a website password strength meter of proven quality does when faced with this test".

While it identified the five passwords as very weak, none of the first five password strength meters did.

Microsoft researchers in a 2014 paper said password strength meters should be binned, along with the entire prevailing guidelines for mixed-case, special characters, and length.

"Honesty," they said, "demands a clear acknowledgement that we don't know how to [resist offline password guessing]: attempts to get users to choose passwords that will resist offline guessing ... must largely be judged failures, " Redmond researchers Dinei Florencio and Cormac Herley wrote.

Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like