Many password strength meters are downright WEAK, researchers say

Dropbox gets a shout-out, though, for a worthy password checker

password tester
Credit: Steve Sauer/NetworkWorld

Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you only what you want to hear.

That’s the finding from researchers at Concordia University in Montreal, who examined the usefulness of those pesky and ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of “not-so-good” passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by the results.

Mohammad Mannan, Concordia University Photo by Christian Fleury/Concordia University

Concordia University Assistant Professor Mohammad Mannan says many password strength testers don't pass muster

"We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another," says Mohammad Mannan, an assistant professor with Concordia's Institute for Information Systems Engineering, in a statement. He collaborated on the study with Ph.D student Xavier de Carné de Carnavalet.

MORE: 6 Simple Tricks for Protecting Your Passwords | Why passwords are on the way out

The password strength meters are designed with good intentions, to protect online users from exposing themselves to attacks through use of lame passwords such as… “password” (#2 on a recent ranking of Most Common & Worst Passwords). In fact, research from Microsoft/University of California at Berkeley/University of British Columbia (paper titled Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection) found that indeed, password gauges do encourage users to concoct stronger passwords.

But that doesn’t mean the meters have necessarily been designed well, according to the Concordia researchers, whose study (A Large-Scale Evaluation of High-Impact Password Strength Meters) will be published in the journal ACM Transactions on Information and System Security. The study asserts that most of the meters studied “are quite simplistic in nature and apparently designed in an ad-hoc manner.”

And just because a meter rates a password as strong, doesn’t mean that it is, the researchers say.

In their study, the researchers singled out cloud file-sharing service Dropbox as having among the stronger password checkers – and an open source one that includes an explanation of its design. Among other things, the checker puts the kibosh on any words found in the dictionary. Dropbox rated “Password1” as very weak, but another site, Yandex, okayed it as secure.

Overall, password strength gateways are inconsistent, with some allowing all letters and others requiring different character sets to gain approval, the researchers found. That sends a mixed message to online users accessing many different websites.     

Mannan says that despite warning most of the website operators about the study findings, few have made changes, but the researchers are hopeful their work will encourage website operators as well as other academics to take a harder look at this issue.

One alternative for password-wary users is a tool for building passwords from private images (SelfiePass/ObPwd for Android and for Firefox). Other researchers, such as those at Carnegie Mellon University, have also looked to visual cues for password safety.

MORE: Steve Jobs lives on... in a CAPTCHA

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.