Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Strength Testers Work For Important Accounts

Posted by timothy on from the my-credit-union's-just-fine-with-8-chars-all-alpha dept.

msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."

5 of 129 comments (clear)

  1. Minor difference at best by icebike · · Score: 5, Insightful

    The long and the short of it: Not Much!

    Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.

    They claim it was for "important accounts" but how important would the account be that was being used in a study?

    Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
    That doesn't mean they reuse all passwords.

    Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.

    --
    Sig Battery depleted. Reverting to safe mode.
  2. Re:What's really needed... by msauve · · Score: 5, Funny

    Oh, yea. Obligatory Dilbert (better than XKCD in this case).

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  3. Re:What's really needed... by fostware · · Score: 5, Funny

    But all my passwords are "correcthorsestaplebattery"!

    --
    "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
  4. Re:What's really needed... by Carnildo · · Score: 5, Insightful

    If you actually do any PW cracking, you'd know that comic is wrong. Dictionary attacks with not just words, but with phrases and 1337 replacements, and exclamations, and numbers after or before or in between words, runs of N repeating characters to 'pad out' a password, etc, all get tried before brute force.

    If you understood combinatorics, you'd know that the comic is right. The first row is a password made from known tricks, and is probably in a dictionary (the 28-bit strength represents the size of the smallest dictionary likely to contain it, or how far you need to go through the dictionary before running into it). The second row represents a password generated randomly from what is effectively a 2048-letter alphabet.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  5. So people choose strong passwords... by theedgeofoblivious · · Score: 5, Insightful

    And then they write them down, stick them on sticky notes, and put them under their keyboards, or in their drawers, completely destroying the security, but maintaining the administrators' beliefs in it.

    It's almost as good of an idea as making people change their password once a month, which also encourages people to write them down, re-use their weak passwords or choose passwords that are easy to guess.

    And how about those password retrieval questions?

    What's your favorite color or your mother's maiden name? No one can guess those.