Password strength meters promote piss-poor paswords

You had one job ...

Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley.

Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection.

Stockley (@MarkStockley) revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords.

"You can’t trust password strength meters on websites," Stockley says.

"The passwords I used in the test are all, deliberately, absolutely dreadful … they’re chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate."

The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on clichés.

Stockley picked popular passwords he suspected the tested meters would approve but which are easily guessable.

Several password strength meters considered "abc123", "trustno1", "ncc1701" (the registration number of the USS Enterprise), "iloveyou!" and "primetime21" acceptable.

Yet all fell to a popular open source password-popper John the Ripper in under a second.

Stockley also brought in the best password meter, known as zxcvbn and used by Dropbox and WordPress, as a ringer, to show "what a website password strength meter of proven quality does when faced with this test".

While it identified the five passwords as very weak, none of the first five password strength meters did.

Microsoft researchers in a 2014 paper said password strength meters should be binned, along with the entire prevailing guidelines for mixed-case, special characters, and length.

"Honesty," they said, "demands a clear acknowledgement that we don't know how to [resist offline password guessing]: attempts to get users to choose passwords that will resist offline guessing ... must largely be judged failures, " Redmond researchers Dinei Florencio and Cormac Herley wrote.

Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites. ®




Biting the hand that feeds IT © 1998–2018