Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Strength Testers Work For Important Accounts

Posted by timothy on from the my-credit-union's-just-fine-with-8-chars-all-alpha dept.

msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."

1 of 129 comments (clear)

  1. Re:What's really needed... by VortexCortex · · Score: 1, Flamebait

    If you actually do any PW cracking, you'd know that comic is wrong. Dictionary attacks with not just words, but with phrases and 1337 replacements, and exclamations, and numbers after or before or in between words, runs of N repeating characters to 'pad out' a password, etc, all get tried before brute force. One of the results of having leaked password databases published online is that the crackers could see all the tricks people use to construct their "memorable" passwords. Unurprisingly, appending 123xcv or other quick keyboard combinations are rather common, and thus added to the cracking database. Any trick you can think of someone else uses too, and is likely a known trick. Type a word with the left hand, but shifted over and up? Yep, it's in the cracking dictionary too, that one's easy to encode, so it saves space... Maybe memorize a passage from a book (not a popular passage) and use some letters from each word, etc.

    Clever is Dead. Generate your passwords randomly or use with a salted hash of the domain name and a master password. I use a HMAC bookmarklette employing this technique, and I can re-create all of my passwords using any computer, phone, or web browser. If I can't get to my bookmark, or implementation of a hashing algorithm, then I'm not in a position to need the passwords.