Slashdot Mirror


Many Password Strength Meters Are Downright Weak, Researchers Say

alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).

2 of 159 comments (clear)

  1. Re:is this good? by sexconker · · Score: 1, Flamebait

    123Password is very strong because it uses numbers and upper and lower case letters.
    Those meters are stupid.

    As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.

    Hey, retard, pay attention. The typical attack scenario is as follows:
    A: Company gets hacked.
    B: The user table with password hashes is accessed.
    C: At some point in the future the company realizes it.
    D: At some later point in the future the company is forced to announce the breach. The company will lie as much as possible about what was accessed, when, how passwords were stored, that they never held onto your credit card numbers, how they're revamping security and they take your privacy very seriously, etc.

    Between B and C, the attackers (and anyone they've sold the dump to) are busy cracking the passwords (assuming they weren't stored in plaintext) offline. They don't have to worry about being locked out after 3 fucking attempts. No one does brute force / dictionary attacks against online fucking data you clown. You take the data offline and fuck on it at full speed.

  2. Re:Still waiting for a "hackability meter" by sexconker · · Score: 0, Flamebait

    You're a fucking shitheel. The vast majority of passwords are cracked offline. The only things saving you, the user, when (not if) shit gets hacked are using strong passwords and not reusing them across services. "2-factor" authentication doesn't do fuck shit because the company got fucking hacked anyway - you can't trust that the keys for the RSA clocks weren't taken at the same time the user table was.