Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk)

Posted by msmash on from the security-blues dept.

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.

7 of 148 comments (clear)

  1. Except for the one that doesn't by trawg · · Score: 4, Informative

    At first I was all like, so the security expert can tell me that some of these password meters rate things like "p@ssword" as secure when they're obviously not, but they're not /quite/ expert enough to come up with a better tool that can more accurately gauge password strength?!@

    Then I read the article; lo and behold, the author actually points out an open source tool called zxcvbn by Dropbox that is actually good at it (or at least, doesn't suck on the harsh battery of tests that these products were subject to (basically just running five passwords through six different meters).

    tldr: use zxcvbn

  2. Length damn it! by raymorris · · Score: 5, Interesting

    I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions of brute force and dictionary attempts, as well as the offline tools.

    In my professional opinion, where strength meters and password policies most often fail is that they greatly underestimate the importance of length. I recently encountered a site which required:
    8-12 characters
    Must include upper and lower case
    Must include digits
    Must include punctuation

    Well we've all been taught since 1st grade or so that punctuation goes at the end of a sentence, and the first letter is capitalized, so most passwords on the system are of the form:
    Capital lower lower lower lower lower lower digit punctuation.

    Since the whole password is 8-12 characters, to get the digit and punctuation at the end you need a word that is 6-10 letters. Passwords are pretty predictable on that system. According to their policies, these are a good passwords:
    Password1!
    Passw0rd!

    But this is a horrible password, that anybody can guess:
    YRNKBV JSYZCXPRM ZOXADEKO JARQYTLY
    OFOFBQ VKGDOSUE XFEUJQOHG TZBVHQIA WSBQHKVD SPIODPL

    Allow and encourage long pass phrases. (Also encourage the term "pass phrase", not "password".) Making your pass phrase a tiny bit longer adds much more security than switching the number 0 for the letter O.

    Ever heard of 2048 bit security? Or 1024 bit keys? That's how security professionals talk about strength - X number of bits. Those numbers refer to the LENGTH of the keys (passwords). That's what's most important above all.

    See also:
    http://imgs.xkcd.com/comics/pa...

    1. Re:Length damn it! by JustAnotherOldGuy · · Score: 3, Insightful

      What's worse are the "hint" questions, like "What elementary school did you go to?" or "What city did you live in when you were 10?"

      The answers can often be uncovered with a little detective work.

      So when they ask me shit like "What elementary school did you go to?", I put something like, "Jm36*gdt22(ILD$".

      No amount of detective work is going to "uncover" that.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  3. Re:well... by Daimanta · · Score: 5, Informative

    It depends on what you call technically strong. As https://www.xkcd.com/936/ indicates, it is not intuitively clear which passwords are strong. Humans have a terrible instinct when it comes to entropy in data and therefore need to be guided in choosing a password. This often results in a check for length(which is a good thing), but also requirements for capitals, numbers and special characters(which is often used poorly). The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.

    The 'technical' strength of a password is connected to its entropy. Using a password that satisfies some byzantine requirement, but contains not enough entropy is also weak in the technical sense. "Correct horse battery staple"-like passwords are strong, "Correct horse battery staple" itself is incredibly weak, thanks to mr. Monroe.

    --
    Knowledge is power. Knowledge shared is power lost.
  4. My code is called by s.petry · · Score: 3, Funny

    populate_mah_rainbow_tables.js

    Humor aside, people should never, ever, ever never type their real password into a site "checking strength". My humor has a whole lot of reality involved.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  5. What drives me insane: by SvnLyrBrto · · Score: 5, Insightful

    It's not the password strength meters that bother me. I generally just ignore those. What drives me utterly insane are the restrictions on my password. And these are far too common. The two biggies are:

    1) Restricting what characters I may use in my password (no / or % or & or whatever) == Oh hai, We're not bothering to sanitize my inputs. We are a bunch of morons and you shouldn't use our site or service.

    2) Restrictions on the maximum length of my password. == Oh hai, we're not bothering to hash your password but are, instead, just storing it in a fixed-length field somewhere. We're a bunch of morons and you shouldn't use our site or service.

    What really Really REALLY drives me up the wall is that these sorts of restrictions seem to most often be present in places where security is most important and where I don't have the *choice* not to use their service. (My current employer's medical and 401k providers, for example.)

    --
    Imagine all the people...
  6. Re:well... by mwvdlee · · Score: 3, Insightful

    The problem is one of usability.

    Imagine a good password checker, which can actually does do some proper calculation of entropy.

    User types in password "Password1".
    Checker reports "password not strong enough".
    The user says "Welll... it contains 8 chars, a capital and a number, that's usually enough" and tries "Password_1".
    Checker reports "password not strong enough".
    "Uhm... what more do I need to do?" the user thinks, "It doesn't tell me what's missing" and tries "ThisIsMyPassword_1!"
    Checker reports "password not strong enough".
    User gives up and signs up for a competitor's service.

    The problem isn't that improving password checkers is hard (it's not), the problem it's nearly impossible to giving the user feedback that actually helps them.

    I made a password generator which tries to do some sort of entropy calculation: http://random.toyls.com/.
    When I tried to implement the same calculation for a password checker on a website, I ran into exactly these kind of usability problems.
    Explaining you need 8 characters, atleast 1 capital and 1 digit is easy. Explaining a more involved algorithm is not.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?