Passwords are the first line of defense for safeguarding data stored in online accounts, although there have been many proposals for replacements: just consider the presence of biometrics on smartphones. Now, every high-end smartphone includes some sort of biometric identification feature, whether that’s an iris or fingerprint scanner or the new facial recognition system called Face ID by Apple.
It seems like more than half a century of password use in computing wasn't enough for scientists and security experts to figure out how people create their passwords. Although the rapid adoption of online services has also brought numerous changes to password security, user patterns don't seem to change with them. Internet users continue to use weak passwords – as demonstrated in the list of the worst passwords – with most users refusing to consider the issue even after a series of massive breaches.
To address this growing problem of easy-to-guess passwords, system administrators and service providers (including tech giants such as Google and Apple) have adopted various different approaches. Password policies were changed and many popular websites encourage users to create stronger passwords by employing password meters.
A password meter serves to check the strength of the password that the user has entered and, by design, are usually presented as a colored bar indicating a weak password with a short red bar and a strong password with a long green bar. The visual information is underpinned by a single-word qualification: weak, medium, normal, fair, strong, or the like.
The Fundamental Problem of Password Strength Meters
Researchers at Microsoft have found that the use of password strength meters has had a positive impact on password security because those “who saw a meter tended to choose stronger passwords than those who didn't”. But password checkers seem to suffer from a fundamental problem; they are generally inconsistent, as reported by multiple researchers studying the nature of these utilities.
After evaluating the password checker of 11 prominent service providers – Apple, Dropbox, Drupal, eBay, FedEx, Google, Microsoft, PayPal, Skype, Twitter, and Yahoo! – researchers at the Concordia University of Montreal have concluded that “it is evident that the commonly used meters are highly inconsistent, fail to provide coherent feedback on user choices, and sometimes provide strength measurements that are blatantly misleading”.
During password creation these meters instantly evaluate the password based on the following aspects:
- Character set and length requirements
- Strength scales and labels
- User information
- Types (client-side or server-side)
- Entropy estimates and blacklistss
The problem that these password meters suffer from is that they seem to focus on measuring entropy. Measuring user-chosen password entropy is problematic, especially with a rule-based metric the researchers say, so there is a need for better password checkers that is currently awaiting proper implementation. Another issue is that though passwords with a lot of entropy are hard to guess, it is an easy task for password crackers. In the end, these meters create a false sense of safety.
Considering the widespread use of password strength meters, web consultant Mark Stockley put to the test five of the “most popular” checkers using a jQuery plugin. In this test, he used five of the most common passwords: abc123, trustno1, ncc1701, iloveyou!, and primetime21. These passwords would get cracked in less than a second so their use is not recommended at all, but he was curious to find out whether these insecure passwords would be approved by the various strength meters.
Unfortunately, all the password checkers failed and, more importantly, were inconsistent: the same insecure password was deemed weak by one but good by another. In our non-scientific test Google accepted any of the insecure passwords, while Dropbox, Apple and eBay raised the red flag marking ‘abc123’ as weak, while interestingly ‘primetime21’ was accepted by eBay.
How to Protect Your Passwords
This raises concerns regarding whether the average user should trust any of these strength meters implemented on a website. Our recommendation is to either use one of our recipes to come up with a strong password (and, of course, remember it) or a password manager. The latter streamlines password generation and recollection process and automatically provides cryptographically secure passwords.
In case you are trying to figure out whether your older passwords are secure enough, the easiest way is to import them into your preferred password manager, which will then take care of the rest. The app will notify you if a password is weak, and if so you can use the built-in password generator to replace it with a secure one.
For other internet users looking to check their password security, there are a handful of utilities they can use. Our recommendation is to only use these legitimate sites, either LastPass's or Random-Ize's password checker. For other sites, be sure to avoid pasting your real password into the checker field, especially not the password to any online bank account because it might end up stored in a password database on the ‘dark web’. The consequences are clear, too, since we are always reading alarming headlines of emptied bank accounts on a regular basis.
Best Password Managers of 2019
|Editor's Choice 2019|