Password Strength Meters on Websites Are Doing a Terrible Job

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.

Oblig

[s122604]

https://xkcd.com/936/

Re:Length damn it!

[JustAnotherOldGuy]

What's worse are the "hint" questions, like "What elementary school did you go to?" or "What city did you live in when you were 10?"

The answers can often be uncovered with a little detective work.

So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".

No amount of detective work is going to "uncover" that.

What drives me insane:

[SvnLyrBrto]

It's not the password strength meters that bother me. I generally just ignore those. What drives me utterly insane are the restrictions on my password. And these are far too common. The two biggies are:

1) Restricting what characters I may use in my password (no / or % or & or whatever) == Oh hai, We're not bothering to sanitize my inputs. We are a bunch of morons and you shouldn't use our site or service.

2) Restrictions on the maximum length of my password. == Oh hai, we're not bothering to hash your password but are, instead, just storing it in a fixed-length field somewhere. We're a bunch of morons and you shouldn't use our site or service.

What really Really REALLY drives me up the wall is that these sorts of restrictions seem to most often be present in places where security is most important and where I don't have the *choice* not to use their service. (My current employer's medical and 401k providers, for example.)

Re:well...

[mwvdlee]

The problem is one of usability.

Imagine a good password checker, which can actually does do some proper calculation of entropy.

User types in password "Password1".
Checker reports "password not strong enough".
The user says "Welll... it contains 8 chars, a capital and a number, that's usually enough" and tries "Password_1".
Checker reports "password not strong enough".
"Uhm... what more do I need to do?" the user thinks, "It doesn't tell me what's missing" and tries "ThisIsMyPassword_1!"
Checker reports "password not strong enough".
User gives up and signs up for a competitor's service.

The problem isn't that improving password checkers is hard (it's not), the problem it's nearly impossible to giving the user feedback that actually helps them.

I made a password generator which tries to do some sort of entropy calculation: http://random.toyls.com/.
When I tried to implement the same calculation for a password checker on a website, I ran into exactly these kind of usability problems.
Explaining you need 8 characters, atleast 1 capital and 1 digit is easy. Explaining a more involved algorithm is not.