Many password strength meters are downright WEAK, researchers say

Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you only what you want to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those pesky and ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype.

Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you only what you want to hear.

That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those pesky and ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to sent millions of "not-so-good" passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by the results.

"We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another," says Mohammad Mannan, an assistant professor with Concordia's Institute for Information Systems Engineering, in a statement. He collaborated on the study with Ph.D student Xavier de Carné de Carnavalet.

MORE: 6 Simple Tricks for Protecting Your Passwords | Why passwords are on the way out

The password strength meters are designed with good intentions, to protect online users from exposing themselves to attacks through use of lame passwords such as... "password" (#2 on a recent ranking of Most Common & Worst Passwords). In fact, research from Microsoft/University of California at Berkeley/University of British Columbia (paper titled Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection) found that indeed, password gauges do encourage users to concoct stronger passwords.

But that doesn't mean the meters have necessarily been designed well, according to the Concordia researchers, whose study (A Large-Scale Evaluation of High-Impact Password Strength Meters) will be published in the journal ACM Transactions on Information and System Security. The study asserts that most of the meters studied "are quite simplistic in nature and apparently designed in an ad-hoc manner."

And just because a meter rates a password as strong, doesn't mean that it is, the researchers say.

In their study, the researchers singled out cloud file-sharing service Dropbox as having among the stronger password checkers and an open source one that includes an explanation of its design. Among other things, the checker puts the kibosh on any words found in the dictionary. Dropbox rated "Password1" as very weak, but another site, Yandex, okayed it as secure.

Overall, password strength gateways are inconsistent, with some allowing all letters and others requiring different character sets to gain approval, the researchers found. That sends a mixed message to online users accessing many different websites.

Mannan says that despite warning most of the website operators about the study findings, few have made changes, but the researchers are hopeful their work will encourage website operators as well as other academics to take a harder look at this issue.

One alternative for password-wary users is a tool for building passwords from private images (SelfiePass/ObPwd for Android and for Firefox). Other researchers, such as those at Carnegie Mellon University, have also looked to visual cues for password safety.

MORE:Steve Jobs lives on... in a CAPTCHA

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooskypeLastPassdropboxGoogleMicrosoftsecuritypasswordstwitter

More about DropboxGoogleindeedMellonMicrosoftSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place