Password Strength Meters on Websites Are Doing a Terrible Job

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.

Except for the one that doesn't

[trawg]

At first I was all like, so the security expert can tell me that some of these password meters rate things like "p@ssword" as secure when they're obviously not, but they're not /quite/ expert enough to come up with a better tool that can more accurately gauge password strength?!@

Then I read the article; lo and behold, the author actually points out an open source tool called zxcvbn by Dropbox that is actually good at it (or at least, doesn't suck on the harsh battery of tests that these products were subject to (basically just running five passwords through six different meters).

tldr: use zxcvbn

Re:well...

[Daimanta]

It depends on what you call technically strong. As https://www.xkcd.com/936/ indicates, it is not intuitively clear which passwords are strong. Humans have a terrible instinct when it comes to entropy in data and therefore need to be guided in choosing a password. This often results in a check for length(which is a good thing), but also requirements for capitals, numbers and special characters(which is often used poorly). The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.

The 'technical' strength of a password is connected to its entropy. Using a password that satisfies some byzantine requirement, but contains not enough entropy is also weak in the technical sense. "Correct horse battery staple"-like passwords are strong, "Correct horse battery staple" itself is incredibly weak, thanks to mr. Monroe.