Many Password Strength Meters Are Downright Weak, Researchers Say

alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).

Still waiting for a "hackability meter"

[jeffmeden]

The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

Users are *bad* at choosing passwords

[MetricT]

I run a GPU cracker on my user's password hashes to preemptively weed out weak passwords. Several times I have seen them try to change it from (for example) "password" to P@ssw0rd99", which in a certain sense is significantly more complex, but OCLHashCat has rules for capitalization, leet-speak, appending/prepending numbers. You've only changed the time it takes to crack that hash from fractions of a second to a few minutes.

The only highly secure password requires long, random characters. Given a choice, users will always prefer an easy-to-remember password because it makes their life easier. Unfortunately, it also makes the bad guy's life easier, and the sysadmin's life harder.

Websites should be required to disclose the hash format they are storing user's passwords in, to hopefully prevent another Linkedin plain-md5 type debacle.

We should launch a massive research effort

[tlambert]

We should launch a massive research effort, figure out the strongest possible password, and make everyone use that.

There is also a problem with password length limit

[Tyrannosaur]

There are also often (not told to the user!) length limits on passwords

I like making my passwords a sentence. Whether it is more secure or not, it is easier for me to remember and I like to pretend I believe it is super secure.

However, I have had several places where I make a user, make a password (which it thinks is super strong because it is like 50 characters), copy-paste it somewhere, and it says I have a user. I then try to login using the copy-pasted password, and it tells me I have a bad password. going through the password-reset process, it invariably works if I reset it to a much shorter password.

This is a bug that really annoys me, especially with xkcd encouraging people who might not know about this popular bug to make long passwords.