Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Password Strength Meters Are Downright Weak, Researchers Say

Posted by timothy on from the it's-like-pressing-the-walk-button dept.

alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).

22 of 159 comments (clear)

  1. is this good? by twitnutttt · · Score: 2, Funny

    123Password is very strong because it uses numbers and upper and lower case letters.
    Those meters are stupid.

    1. Re:is this good? by oodaloop · · Score: 2

      Of course it's strong! That's why I use it for my luggage!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:is this good? by jeffmeden · · Score: 4, Interesting

      123Password is very strong because it uses numbers and upper and lower case letters.
      Those meters are stupid.

      As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.

    3. Re:is this good? by michelcolman · · Score: 2

      I once tried to set a password for iCloud using 20 letters, numbers and punctuation marks. It was rejected because it didn't contain a capital letter. Sigh...

      Result: iCloud passwords have lower entropy because the cracking algorithms no longer have to try passwords with only lower case letters. They can go through all the passwords with a leading capital letter in the same amount of time instead. (which is the obvious alteration 95% of users will make anyway)

    4. Re:is this good? by rotaryexpress · · Score: 3, Informative

      Except when an entire password database is stolen by hackers. Then, dictionary attacks are used first. That is the exact time you want a good password: Make the dictionary attack fail and brute-force the only option.

      Remember, most hack attempts don't get reported until the account information starts being used or sold.

    5. Re:is this good? by thedonger · · Score: 2

      Companies and online entities need to learn that when you force people to use a capital letter, a number, and a symbol, that most likely the first letter will be the capital letter, the number will be 1, and the symbol will be !. Or maybe @. If they foist a wacky password or require one based on complex rules, it will either be written down, or be the most simple implementation of the rules.

      Enforce minimum length. Allow spaces. Make a comparatively small alphabet have sufficient entropy to withstand brute force.

      --
      Help fight poverty: Punch a poor person.
    6. Re:is this good? by Anonymous Coward · · Score: 2, Funny

      You take the data offline and fuck on it at full speed.

      No, I use a mattress and I pace myself.

    7. Re:is this good? by bws111 · · Score: 2

      that would suggest that (1) they don't understand what a password is actually protecting or is for, and (2) the incentives aren't correctly aligned

      You missed the most obvious choice: they don't think like a criminal, and have no idea what lengths a criminal will go to, or the tools they will use, to break in.

      There is no other area in life where an ordinary person is expected or required to act like a complete paranoid, but that is exactly what is expected by you.

      The problem is not users, the problem is that passwords are a crappy way to protect something.

    8. Re:is this good? by operagost · · Score: 2

      OpenVMS handles invalid logons correctly. It locks out the terminal (that is, the network address) of the intruder. Why Microsoft, and most of the rest of the industry, does not understand how this is more secure and less vulnerable to DOS, I don't know.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  2. Still waiting for a "hackability meter" by jeffmeden · · Score: 5, Interesting

    The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

    What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

    1. Re:Still waiting for a "hackability meter" by Gaygirlie · · Score: 3, Interesting

      The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

      Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.

    2. Re:Still waiting for a "hackability meter" by Gaygirlie · · Score: 2

      In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified

      Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.

    3. Re:Still waiting for a "hackability meter" by sexconker · · Score: 2

      The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

      Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.

      Brute forcing offline is only a scenario that can take place after a breach has occurred. In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified

      Breaches are typically not noticed for months, and companies do everything in their power to NOT notify users for as long as possible and to lie to users about what was accessed and how it was stored. A password of "veronica" would be cracked in seconds.

  3. Lovely Meter Maid by Tablizer · · Score: 3, Funny

    So we need a meter for meters now.

    --
    Table-ized A.I.
  4. Re:I use the same unhackable password by itzly · · Score: 4, Funny

    I know that my password - hunter2 - is very strong

    Doesn't look strong to me.

  5. Users are *bad* at choosing passwords by MetricT · · Score: 5, Insightful

    I run a GPU cracker on my user's password hashes to preemptively weed out weak passwords. Several times I have seen them try to change it from (for example) "password" to P@ssw0rd99", which in a certain sense is significantly more complex, but OCLHashCat has rules for capitalization, leet-speak, appending/prepending numbers. You've only changed the time it takes to crack that hash from fractions of a second to a few minutes.

    The only highly secure password requires long, random characters. Given a choice, users will always prefer an easy-to-remember password because it makes their life easier. Unfortunately, it also makes the bad guy's life easier, and the sysadmin's life harder.

    Websites should be required to disclose the hash format they are storing user's passwords in, to hopefully prevent another Linkedin plain-md5 type debacle.

  6. The whole premise is wrong wrong. Teach users what by Cafe+Alpha · · Score: 4, Insightful

    entropy is, and how to measure it. Then we will solve the problem. Oh my God there is nothing worse than what passes for good passwords. People are good at remembering sentences and those have lots of entropy. People are terrible at remembering what we call passwords and those have very little.

    We're just doing this wrong from beginning to end.

  7. Weak Web Sites by Greyfox · · Score: 2

    Most of those web sites are not one's I'm likely to return to anyway. Like a corporate web site for some company I clicked on a job posting for. And now it's asking me to create an account with my E-Mail address and a password. The only information in the account that the password is protecting is an E-Mail address, and I'm not likely to ever return to that site. At this point I'm already pretty sure I don't want to work for that company. If they bitch at me about the strength of the password I chose, that's really just going to make up my mind for me at that point. If I ever DO return to the site, I'm not even likely to remember that I ever created an account there, much less what the password was, so I'm just going to have to click on the "forgot password" link, anyway. I've had sites like this send me the original password in plain text, too.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Weak Web Sites by gewalker · · Score: 2

      Any company or website that can recover your password is plain text is clearly run by idiots with respect to security. Consider it a blessing that they chose to reveal that to you clearly so that you can avoid them.

  8. We should launch a massive research effort by tlambert · · Score: 5, Funny

    We should launch a massive research effort, figure out the strongest possible password, and make everyone use that.

  9. Helpful websites will provide by mpercy · · Score: 2

    A reminder about their password requirements.

    I cannot begin to count the number of times I've had to hit "Forgot my password" simply because they do not remind me up fron that my password must have special character in it. For websites that do not have my personal information and especially not financial (blog sites, sport sites) I tend to use a common password so I don't have to remember different passwords. Again, completely different from any important password and used only for essentially throwaway sites.

    But some sites require at least digit, others at least one Capital letter (or at least one lowercase), others at least one special character, others some combination.

    The throwaway password usually meets these by virtue of the way it is constructed, but not always. Sometimes it has to be doubled to meet a length requirement, for example. But while they tell you this when you create the password, they never seem to remind you when you later have to enter your password.

  10. There is also a problem with password length limit by Tyrannosaur · · Score: 5, Insightful

    There are also often (not told to the user!) length limits on passwords

    I like making my passwords a sentence. Whether it is more secure or not, it is easier for me to remember and I like to pretend I believe it is super secure.

    However, I have had several places where I make a user, make a password (which it thinks is super strong because it is like 50 characters), copy-paste it somewhere, and it says I have a user. I then try to login using the copy-pasted password, and it tells me I have a bad password. going through the password-reset process, it invariably works if I reset it to a much shorter password.

    This is a bug that really annoys me, especially with xkcd encouraging people who might not know about this popular bug to make long passwords.