Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk)

Posted by msmash on from the security-blues dept.

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.

1 of 148 comments (clear)

  1. Length damn it! by raymorris · · Score: 5, Interesting

    I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions of brute force and dictionary attempts, as well as the offline tools.

    In my professional opinion, where strength meters and password policies most often fail is that they greatly underestimate the importance of length. I recently encountered a site which required:
    8-12 characters
    Must include upper and lower case
    Must include digits
    Must include punctuation

    Well we've all been taught since 1st grade or so that punctuation goes at the end of a sentence, and the first letter is capitalized, so most passwords on the system are of the form:
    Capital lower lower lower lower lower lower digit punctuation.

    Since the whole password is 8-12 characters, to get the digit and punctuation at the end you need a word that is 6-10 letters. Passwords are pretty predictable on that system. According to their policies, these are a good passwords:
    Password1!
    Passw0rd!

    But this is a horrible password, that anybody can guess:
    YRNKBV JSYZCXPRM ZOXADEKO JARQYTLY
    OFOFBQ VKGDOSUE XFEUJQOHG TZBVHQIA WSBQHKVD SPIODPL

    Allow and encourage long pass phrases. (Also encourage the term "pass phrase", not "password".) Making your pass phrase a tiny bit longer adds much more security than switching the number 0 for the letter O.

    Ever heard of 2048 bit security? Or 1024 bit keys? That's how security professionals talk about strength - X number of bits. Those numbers refer to the LENGTH of the keys (passwords). That's what's most important above all.

    See also:
    http://imgs.xkcd.com/comics/pa...